Results 1 to 3 of 3

Thread: Virtumonde removed...hopefully

  1. 2009-01-31, 21:52 #1
    dolphindolphin
    dolphindolphin is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    1

    Default Virtumonde removed...hopefully

    I performed a combo-fix scan and it seemed to rid my comp of vundu and maybe some smitfraud. Can someone help me to review the log?

    ComboFix 09-01-31.01 - matthew 2009-01-31 15:20:06.1 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.812 [GMT -5:00]
    Running from: c:\documents and settings\matthew\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\_000008_.tmp.dll
    c:\windows\system32\404Fix.exe
    c:\windows\system32\998.exe
    c:\windows\system32\Agent.OMZ.Fix.exe
    c:\windows\system32\ahtn.htm
    c:\windows\system32\cvjxsyai.ini
    c:\windows\system32\drivers\seneka.sys
    c:\windows\system32\drivers\senekaexcpacvp.sys
    c:\windows\system32\dumphive.exe
    c:\windows\system32\frmwrk32.exe
    c:\windows\system32\IEDFix.C.exe
    c:\windows\system32\IEDFix.exe
    c:\windows\system32\mcrh.tmp
    c:\windows\system32\ntdll64.exe
    c:\windows\system32\o4Patch.exe
    c:\windows\system32\Process.exe
    c:\windows\system32\senekakdlicybo.dll
    c:\windows\system32\senekalog.dat
    c:\windows\system32\senekarulhrqak.dll
    c:\windows\system32\senekavbrrnvxj.dat
    c:\windows\system32\SrchSTS.exe
    c:\windows\system32\test.ttt
    c:\windows\system32\tmp.reg
    c:\windows\system32\uniq.tll
    c:\windows\system32\VACFix.exe
    c:\windows\system32\VCCLSID.exe
    c:\windows\system32\warning.gif
    c:\windows\system32\win32hlp.cnf
    c:\windows\system32\WS2Fix.exe
    c:\windows\Tasks\uucvxyjr.job

    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\i386\userinit.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SENEKA
    -------\Legacy_TNIDRIVER
    -------\Service_TnIDriver


    ((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
    .

    2009-01-26 21:43 . 2009-01-26 21:43 <DIR> d-------- C:\jcreator
    2009-01-26 21:23 . 2009-01-26 21:23 <DIR> d-------- c:\documents and settings\matthew\Application Data\JCreator
    2009-01-26 21:23 . 2009-01-26 21:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\JCreator
    2009-01-26 21:21 . 2009-01-26 21:43 <DIR> d-------- c:\program files\Xinox Software
    2009-01-26 16:41 . 2009-01-26 16:41 <DIR> d-------- c:\program files\Sun
    2009-01-22 20:03 . 2009-01-28 11:44 54,156 --ah----- c:\windows\QTFont.qfn
    2009-01-22 20:03 . 2009-01-22 20:03 1,409 --a------ c:\windows\QTFont.for
    2009-01-22 15:15 . 2009-01-22 15:15 133,120 --a------ c:\windows\ozohaxov.dll
    2009-01-21 23:31 . 2009-01-21 23:31 <DIR> d-------- c:\documents and settings\matthew\Application Data\QuosaDDM
    2009-01-21 17:38 . 2009-01-21 17:38 0 --a------ c:\windows\VPC32.INI
    2009-01-21 16:16 . 2009-01-31 15:27 <DIR> d-------- c:\program files\Symantec AntiVirus
    2009-01-21 16:16 . 2004-03-04 23:46 83,168 --a------ c:\windows\system32\S32EVNT1.DLL
    2009-01-21 16:16 . 2004-03-04 23:46 82,832 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
    2009-01-21 15:06 . 2009-01-21 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
    2009-01-20 17:19 . 2009-01-21 15:14 <DIR> d-------- C:\norton
    2009-01-19 23:21 . 2009-01-19 23:21 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01000_Coinstaller_Critical.Wdf
    2009-01-19 23:21 . 2009-01-19 23:21 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
    2009-01-19 23:20 . 2006-03-09 09:58 1,060,424 --a------ c:\windows\system32\WdfCoInstaller01000.dll
    2009-01-19 23:20 . 2007-12-06 18:12 110,592 --a------ c:\windows\system32\SynTPCo4.dll
    2009-01-19 23:10 . 2009-01-20 16:04 <DIR> d-------- c:\windows\system32\CatRoot_bak
    2009-01-19 23:10 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
    2009-01-19 23:08 . 2008-08-14 04:57 2,185,984 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
    2009-01-19 23:08 . 2008-08-14 04:55 2,142,720 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
    2009-01-19 23:08 . 2008-08-14 04:18 2,062,976 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
    2009-01-19 23:08 . 2008-08-14 04:18 2,020,864 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
    2009-01-19 23:05 . 2008-10-24 06:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
    2009-01-19 22:46 . 2005-12-13 16:40 135,168 --a------ c:\windows\system32\igfxres.dll
    2009-01-19 22:31 . 2004-08-04 05:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
    2009-01-19 22:30 . 2004-08-04 05:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
    2009-01-19 22:29 . 2004-08-04 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
    2009-01-19 22:28 . 2004-08-04 05:00 829,440 --a--c--- c:\windows\system32\dllcache\inetmgr.dll
    2009-01-19 22:25 . 2009-01-19 22:25 749 -rah----- c:\windows\WindowsShell.Manifest
    2009-01-19 22:25 . 2009-01-19 22:25 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
    2009-01-19 22:25 . 2009-01-19 22:25 749 -rah----- c:\windows\system32\sapi.cpl.manifest
    2009-01-19 22:25 . 2009-01-19 22:25 749 -rah----- c:\windows\system32\nwc.cpl.manifest
    2009-01-19 22:25 . 2009-01-19 22:25 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
    2009-01-19 22:25 . 2009-01-19 22:25 488 -rah----- c:\windows\system32\logonui.exe.manifest
    2009-01-19 22:24 . 2004-08-04 05:00 214,528 --a--c--- c:\windows\system32\dllcache\icwconn1.exe
    2009-01-19 22:24 . 2004-08-04 05:00 86,016 --a--c--- c:\windows\system32\dllcache\icwconn2.exe
    2009-01-19 22:24 . 2004-08-04 05:00 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll
    2009-01-19 22:24 . 2004-08-04 05:00 20,480 --a--c--- c:\windows\system32\dllcache\inetwiz.exe
    2009-01-19 22:24 . 2004-08-04 05:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
    2009-01-19 16:18 . 2009-01-19 16:18 <DIR> d-------- c:\windows\dell
    2009-01-17 21:29 . 2009-01-17 21:35 1,893 --a------ c:\windows\bcmwltrytmp.reg
    2009-01-17 20:21 . 2009-01-17 20:21 3,706 --a------ c:\windows\setupapi.old
    2009-01-16 15:46 . 2009-01-16 15:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-01-15 22:40 . 2009-01-15 22:40 <DIR> d-------- c:\documents and settings\matthew\Application Data\SUPERAntiSpyware.com
    2009-01-15 22:24 . 2009-01-15 22:24 <DIR> d-------- c:\program files\CCleaner
    2009-01-15 19:17 . 2009-01-15 19:33 <DIR> d-------- c:\program files\Windows Live Safety Center
    2009-01-15 19:01 . 2009-01-15 19:01 <DIR> d-------- c:\program files\Alwil Software
    2009-01-14 23:23 . 2009-01-14 23:23 <DIR> d-------- c:\windows\system32\xp2
    2009-01-14 23:23 . 2009-01-15 00:13 <DIR> d-------- c:\windows\system32\pnUZ
    2009-01-14 23:23 . 2009-01-14 23:23 <DIR> d-------- c:\temp\tmp90
    2009-01-14 23:13 . 2009-01-31 15:24 1,104 --a------ c:\windows\ogivnsip
    2009-01-07 23:05 . 2009-01-07 23:06 <DIR> d-------- c:\program files\Pidgin
    2009-01-03 11:39 . 2009-01-03 11:38 410,984 --a------ c:\windows\system32\deploytk.dll
    2008-12-10 17:32 . 2009-01-20 17:19 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 2

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-31 20:11 --------- d-----w c:\program files\Spybot - Search & Destroy
    2009-01-31 20:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-01-31 19:57 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 4
    2009-01-31 19:20 --------- d-----w c:\documents and settings\matthew\Application Data\.purple
    2009-01-30 03:52 --------- d-----w c:\documents and settings\matthew\Application Data\gtk-2.0
    2009-01-28 02:50 --------- d-----w c:\documents and settings\matthew\Application Data\Move Networks
    2009-01-27 01:32 --------- d-----w c:\program files\Java
    2009-01-21 21:17 --------- d-----w c:\program files\Symantec
    2009-01-21 21:17 --------- d-----w c:\program files\Common Files\Symantec Shared
    2009-01-21 21:16 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
    2009-01-18 03:38 --------- d-----w c:\program files\McAfee.com
    2009-01-18 03:38 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
    2009-01-16 03:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2009-01-16 01:22 --------- d--h--w c:\program files\InstallShield Installation Information
    2009-01-13 21:29 --------- d-----w c:\program files\Google
    2009-01-12 21:25 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
    2009-01-08 04:05 --------- d-----w c:\program files\Common Files\GTK
    2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
    2008-12-02 03:49 --------- d-----w c:\program files\DivX
    2008-10-04 19:42 0 ----a-w c:\documents and settings\matthew\Application Data\wklnhst.dat
    2006-10-25 00:09 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185872]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
    "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
    "Xqitayotevokom"="c:\windows\ozohaxov.dll" [2009-01-22 133120]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 c:\windows\KHALMNPR.Exe]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 c:\windows\KHALMNPR.Exe]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-09-21 24576]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-09-27 671744]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)
    "NoActiveDesktopChanges"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3bkxx.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Nortel\\IP Softphone 2050\\i2050.exe"=
    "c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
    "c:\\Program Files\\123CopyDVDGold\\123CopyDVD\\123CopyDVD.exe"=
    "c:\\Program Files\\123CopyDVDGold\\123Movies2PSP\\123Movies2PSP.exe"=
    "c:\\Program Files\\123CopyDVDGold\\123Movies2IPOD\\123Movies2IPOD.exe"=
    "c:\\Program Files\\123Movies2PSP\\123Movies2PSP.exe"=
    "c:\\Program Files\\123CopyDVD Gold\\123CopyDVD.exe"=
    "c:\\Program Files\\123CopyDVD Gold\\123Movies2Portable.exe"=
    "c:\\Program Files\\Pidgin\\pidgin.exe"=
    "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Mozilla Firefox 3 Beta 4\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\matthew\\Desktop\\Halo\\Halo.exe"=
    "c:\\WINDOWS\\system32\\java.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Mozilla Firefox 3.1 Beta 2\\firefox.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "4899:TCP"= 4899:TCP:systerm

    R4 i2050QoSSvc;Nortel IP Softphone 2050 QoS;c:\program files\Nortel\IP Softphone 2050\i2050QosSvc.exe [2006-01-19 94208]
    R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-09-27 3712]
    S0 ati3bkxx;ati3bkxx;c:\windows\system32\Drivers\ati3bkxx.sys --> c:\windows\system32\Drivers\ati3bkxx.sys [?]
    S0 ogivnsip;ogivnsip;c:\windows\system32\drivers\usfgngsn.sys []
    S1 imapii;imapii;c:\windows\system32\drivers\imapii.sys --> c:\windows\system32\drivers\imapii.sys [?]
    S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
    S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
    S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
    S4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-09-21 26488]
    S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-26 24652]
    S4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-02-19 106496]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3046bc6d-7ebd-11dd-a708-0016cffd9282}]
    \Shell\AutoRun\command - G:\WDSetup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{723a20c8-71fb-11dd-a6ed-0016cffd9282}]
    \Shell\AutoRun\command - f:\wd_windows_tools\Setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e17ecb8e-b4f3-11dd-a755-0016cffd9282}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{24CFC443-A856-4D14-B4F4-B4C5D639B3C8} - c:\windows\system32\opnkkiFy.dll
    HKLM-Run-pkqyqam - c:\windows\system32\pkqyqam.exe
    HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
    HKLM-Run-Vfacikav - c:\windows\Ihiza.dll
    Notify-pmnkKbcB - pmnkKbcB.dll


    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - hxxp://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
    FF - ProfilePath - c:\documents and settings\matthew\Application Data\Mozilla\Firefox\Profiles\cz1wtqex.default\
    FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?auth=DQAAAG4AAAB5mFEJvUnPOqjCVLgwJb8w7TBP7sdEz8nStt5EC_YFAt34l5FxlryKK32y9_nZ-8yIGUbmqcejNrg0Nz0V3oQWeNhpBEQ581vRylSz3W7m1txKgHnxMVEXPbf8ephxYxrgjP3vPsMk98YpSbxbqwsE&zx=1oslomljjjkwq
    FF - plugin: c:\documents and settings\matthew\Application Data\Mozilla\Firefox\Profiles\cz1wtqex.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-31 15:27:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\system32\drivers\usfgngsn.sys 25088 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-315157010-2508857612-2295585215-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{91105896-B5B6-A2CC-4332-3902A2E7544B}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "gadgkgpgieadjb"=hex:63,61,66,63,69,70,00,00
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1032)
    c:\windows\System32\BCMLogon.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
    c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2009-01-31 15:33:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-01-31 20:33:25

    Pre-Run: 66,361,335,808 bytes free
    Post-Run: 65,592,033,280 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    294 --- E O F --- 2009-01-20 04:30:33
  2. 2009-02-04, 13:30 #2
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello dolphindolphin

    Welcome to Safer Networking.

    Please read Before You Post
    That said, All advice given by anyone volunteering here, is taken at your own risk.
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


    The Stickies in Before You Post ( Right above where you posted this ) are put there for a reason, you need to read it please



    Combofix is an extremely powerful tool and should only be run under the direction of a forum helper. This forum, myself and sUbs will not be responsible if you run this on your own and damage your system





    Download Trendmicros Hijackthis to your desktop.
    • Double click it to install
    • Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
    • Open HJT Scan and Save a Log File, it will open in Notepad
    • Go to Format and make sure Wordwrap is Unchecked
    • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
  3. 2009-02-09, 11:38 #3
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Due to inactivity, this thread will now be closed.

    Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules