-
win32.agent.pz help
recently i got hacked from my account in world of warcraft.so i put a windows xp again and deleted everything from the one i had before.
i did the scan but for this win32.agent.pz
here is results
--- Search result list ---
Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-18 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi (*)
2009-03-10 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-03-10 Includes\Dialer.sbi (*)
2009-03-10 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2009-03-03 Includes\HijackersC.sbi (*)
2009-03-10 Includes\Keyloggers.sbi (*)
2009-03-10 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-03-03 Includes\Malware.sbi (*)
2009-03-10 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-03-09 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-03-10 Includes\Trojans.sbi (*)
2009-03-10 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows XP: Security Update for Windows XP (KB941569)
--- Startup entries list ---
Located: HK_LM:Run, 36X Raid Configurer
command: C:\WINDOWS\system32\xRaidSetup.exe boot
file: C:\WINDOWS\system32\xRaidSetup.exe
size: 1953792
MD5: 703379685E86F23057B0E8DBED982945
Located: HK_LM:Run, Alcmtr
command: ALCMTR.EXE
file: C:\WINDOWS\ALCMTR.EXE
size: 69632
MD5: 8B4CBBA1EA526830C7F97E7822E2493A
Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1932568
MD5: CB0BC853D84A61457AA9DB16C46DA07E
Located: HK_LM:Run, Email Protection
command: C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
file: C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
size: 275832
MD5: 394251E074BFF9AA2B0A357C7EA29D60
Located: HK_LM:Run, JMB36X IDE Setup
command: C:\WINDOWS\RaidTool\xInsIDE.exe
file: C:\WINDOWS\RaidTool\xInsIDE.exe
size: 36864
MD5: DB4E2D9C09A5762CB2551222B5E443B2
Located: HK_LM:Run, Messenger
command: C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
file: C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
size: 116088
MD5: 416D58FF667F7E2051C75A7DED32F97C
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 13680640
MD5: DEAC9939D9EDE2FE3664972E5473BC72
Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\NvMcTray.dll
size: 86016
MD5: CC855D26A86A0CD29DDE10B07E895D74
Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 1657376
MD5: 87AEF2E96277C23B23685E34A30CEA08
Located: HK_LM:Run, On-Line Protection
command: C:\PROGRA~1\QUICKH~1\QUICKH~1\CATEYE.EXE
file: C:\PROGRA~1\QUICKH~1\QUICKH~1\CATEYE.EXE
size: 206200
MD5: 69BBC62B9D30A9E2695F08AF3A38F3ED
Located: HK_LM:Run, RTHDCPL
command: RTHDCPL.EXE
file: C:\WINDOWS\RTHDCPL.EXE
size: 16844800
MD5: 074FAE0B816FBA78F667B116303D31EB
Located: HK_LM:Run, SmartGuardian
command: C:\Program Files\ITE\Smart Guardian\ITESMART.exe
file: C:\Program Files\ITE\Smart Guardian\ITESMART.exe
size: 196608
MD5: C27E0CABC1174DC09D267DB99C77CF36
Located: HK_LM:Run, Startup Scan
command: C:\PROGRA~1\QUICKH~1\QUICKH~1\sensor.exe /loadrun
file: C:\PROGRA~1\QUICKH~1\QUICKH~1\sensor.exe
size: 144760
MD5: 894611CD2A8E530D02B3AE1CF84F1E25
Located: HK_LM:Run, Update Scheduler
command: C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE /CHECK
file: C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE
size: 95608
MD5: 16B9104E069D93C225062953DB43C9DB
Located: HK_LM:RunOnce, Startup Scan
command: C:\PROGRA~1\QUICKH~1\QUICKH~1\sensor.exe /check
file: C:\PROGRA~1\QUICKH~1\QUICKH~1\sensor.exe
size: 144760
MD5: 894611CD2A8E530D02B3AE1CF84F1E25
Located: HK_CU:Run, Spyware Doctor
where: .DEFAULT...
command: "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
file: C:\Program Files\Spyware Doctor\swdoctor.exe
size: 1992928
MD5: 77E67D0857B21573C1A79C05C9C761F3
Located: HK_CU:RunOnce, nltide_3
where: .DEFAULT...
command: rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
file: C:\WINDOWS\system32\advpack.dll
size: 123904
MD5: F9D975BD4E56B05795A56ABB7829D3A3
Located: HK_CU:RunOnce, nltide_3
where: S-1-5-19...
command: rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
file: C:\WINDOWS\system32\advpack.dll
size: 123904
MD5: F9D975BD4E56B05795A56ABB7829D3A3
Located: HK_CU:RunOnce, nltide_3
where: S-1-5-20...
command: rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
file: C:\WINDOWS\system32\advpack.dll
size: 123904
MD5: F9D975BD4E56B05795A56ABB7829D3A3
Located: HK_CU:Run, AWMON
where: S-1-5-21-1482476501-1979792683-1801674531-500...
command: "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
file: C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
size: 517632
MD5: 107AF2DE3AF10D6D09C1B36FE9EF9156
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1482476501-1979792683-1801674531-500...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 49B33E2B875ABE592C81F0D679858DE0
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1482476501-1979792683-1801674531-500...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
Located: HK_CU:Run, Spyware Doctor
where: S-1-5-21-1482476501-1979792683-1801674531-500...
command: "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
file: C:\Program Files\Spyware Doctor\swdoctor.exe
size: 1992928
MD5: 77E67D0857B21573C1A79C05C9C761F3
Located: HK_CU:Run, Spyware Doctor
where: S-1-5-18...
command: "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
file: C:\Program Files\Spyware Doctor\swdoctor.exe
size: 1992928
MD5: 77E67D0857B21573C1A79C05C9C761F3
Located: HK_CU:RunOnce, nltide_3
where: S-1-5-18...
command: rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
file: C:\WINDOWS\system32\advpack.dll
size: 123904
MD5: F9D975BD4E56B05795A56ABB7829D3A3
Located: Startup (common), Adobe Reader Speed Launch.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362B96870CE8649F4F2EC893DA93F0
Located: WinLogon, avgrsstarter
command: avgrsstx.dll
file: avgrsstx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
here are the results
ComboFix 09-03-15.01 - Administrator 2009-03-19 12:45:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2295 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Quick Heal 9.50 *On-access scanning enabled* (Outdated)
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
.
((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.
2009-03-19 12:06 . 2009-03-19 12:06 0 --a------ c:\windows\system32\Sweeper.cfg
2009-03-18 22:43 . 2009-03-18 22:43 0 --a------ c:\windows\nsreg.dat
2009-03-18 22:38 . 2009-03-18 22:43 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-18 22:37 . 2009-03-18 22:43 <DIR> d-------- c:\program files\SpywareBlaster
2009-03-18 22:35 . 2009-03-18 22:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-18 22:35 . 2009-03-18 22:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-18 22:22 . 2009-03-18 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-03-18 22:21 . 2009-03-18 22:23 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-03-18 22:07 . 2009-03-19 00:32 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-18 22:07 . 2009-03-18 22:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PC Tools
2009-03-18 22:07 . 2005-12-13 15:18 50,048 --a------ c:\windows\system32\drivers\ikhlayer.sys
2009-03-18 22:06 . 2009-03-18 22:06 <DIR> d-------- c:\program files\Lavasoft
2009-03-18 22:06 . 2009-03-18 22:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-03-18 22:01 . 2009-03-18 22:01 674,816 --a------ c:\windows\isRS-000.tmp
2009-03-18 22:01 . 2009-03-18 22:00 39,672 --a------ c:\windows\system32\drivers\ONLINENT.SYS
2009-03-18 22:01 . 2009-03-18 22:00 19,960 --a------ c:\windows\system32\drivers\SCREENNT.SYS
2009-03-18 22:01 . 2009-03-18 22:00 12,160 --a------ c:\windows\system32\drivers\EMLTDI.SYS
2009-03-18 22:01 . 2009-03-18 22:01 28 --a------ c:\windows\ODBC.INI
2009-03-18 22:01 . 2009-03-18 22:01 0 --a------ c:\windows\sensor.INI
2009-03-18 22:01 . 2009-03-18 22:01 0 --a------ c:\windows\hqstat.mtl
2009-03-18 22:01 . 2009-03-18 22:01 0 --a------ c:\windows\hqstat.mnt
2009-03-18 22:00 . 2009-03-18 22:00 <DIR> d-------- c:\program files\Quick Heal
2009-03-18 22:00 . 2009-03-18 22:01 87 --a------ c:\windows\QH32.INI
2009-03-18 21:40 . 2009-03-19 12:46 8,253,472 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-18 21:40 . 2008-07-08 14:54 148,496 --a------ c:\windows\system32\drivers\00313835.sys
2009-03-18 21:40 . 2009-03-19 00:33 88,940 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-18 21:36 . 2009-03-19 12:19 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-18 21:34 . 2009-03-19 12:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-18 21:34 . 2009-03-18 21:34 <DIR> d-------- c:\program files\AVG
2009-03-18 21:34 . 2009-03-18 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-18 21:34 . 2009-03-18 21:34 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-18 21:34 . 2009-03-18 21:34 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-18 21:34 . 2009-03-18 21:34 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-03-18 21:34 . 2009-03-18 21:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-18 21:32 . 2009-03-18 21:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-18 21:01 . 2009-03-18 21:01 <DIR> d-------- c:\program files\Marvell
2009-03-18 20:58 . 2009-03-18 20:58 <DIR> d-------- c:\windows\system32\Lang
2009-03-18 20:58 . 2009-03-18 20:58 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2009-03-18 20:58 . 2009-03-18 20:58 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2009-03-18 20:56 . 2009-03-18 20:56 <DIR> d-------- c:\windows\nview
2009-03-18 20:56 . 2009-03-18 20:56 <DIR> d-------- C:\NVIDIA
2009-03-18 20:56 . 2009-02-16 23:17 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-03-18 20:56 . 2009-02-18 14:44 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-03-18 20:56 . 2009-03-19 12:07 212,641 --a------ c:\windows\system32\nvapps.xml
2009-03-18 20:56 . 2009-02-18 14:44 19,021 --a------ c:\windows\system32\nvdisp.nvu
2009-03-18 20:55 . 2009-03-18 20:55 <DIR> d-------- c:\program files\Realtek
2009-03-18 20:54 . 2009-03-18 20:54 <DIR> d-------- c:\windows\RaidTool
2009-03-18 20:54 . 2009-03-18 20:54 <DIR> d-------- C:\RaidTool
2009-03-18 20:54 . 2007-05-07 16:06 1,953,792 -ra------ c:\windows\system32\xRaidSetup.exe
2009-03-18 20:54 . 2007-05-07 15:53 143,360 -ra------ c:\windows\system32\xRaidAPI.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 20:57 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-18 20:55 315,392 ----a-w c:\windows\HideWin.exe
2009-03-18 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 13:14 --------- d-----w c:\program files\ITE
2009-03-18 13:13 --------- d-----w c:\program files\Common Files\Adobe
2009-03-18 13:11 --------- d-----w c:\program files\Intel
2009-03-18 13:07 --------- d-----w c:\program files\Windows Media Connect 2
2009-03-18 13:05 62,633 ----a-w c:\windows\prio197uninstall.exe
2009-03-18 13:05 --------- d-----w c:\program files\Opera
.
------- Sigcheck -------
2008-05-03 12:00 361344 37d8387cbd4437c55f454209be10ef11 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-05-03 15360]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2006-02-06 1992928]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AWMON"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 517632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartGuardian"="c:\program files\ITE\Smart Guardian\ITESMART.exe" [2006-01-18 196608]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-07 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-18 1932568]
"Email Protection"="c:\progra~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE" [2009-03-18 275832]
"Update Scheduler"="c:\progra~1\QUICKH~1\QUICKH~1\UPSCHD.EXE" [2009-03-18 95608]
"On-Line Protection"="c:\progra~1\QUICKH~1\QUICKH~1\CATEYE.EXE" [2009-03-18 206200]
"Startup Scan"="c:\progra~1\QUICKH~1\QUICKH~1\sensor.exe" [2009-03-18 144760]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2009-02-18 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2006-02-06 1992928]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-13 c:\windows\system32\advpack.dll]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-18 21:34 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=prio.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-03-18 12552]
R0 ScreenNT;ScreenNT;c:\windows\system32\drivers\SCREENNT.SYS [2009-03-18 19960]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-18 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-18 107912]
R1 is-RGAHJdrv;is-RGAHJdrv;c:\windows\system32\drivers\00313835.sys [2009-03-18 21:40:25 148496]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-18 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-18 298264]
R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [2009-03-18 12160]
R2 OnlineNT;OnlineNT;c:\progra~1\QUICKH~1\QUICKH~1\ONLINENT.SYS [2009-03-18 39672]
R2 Quick Heal AntiVirus Plus Mail Protection;Quick Heal AntiVirus Plus Mail Protection;c:\progra~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE [2009-03-18 50552]
R2 Quick Update Service;Quick Update Service;c:\progra~1\QUICKH~1\QUICKH~1\quhlpsvc.exe [2009-03-18 58744]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - IKHLAYER
*NewlyCreated* - SR
*NewlyCreated* - SRSERVICE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5y5ef5u6.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 12:46:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\prio.dll
c:\program files\Spyware Doctor\Tools\swpg.dat
- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\prio.dll
c:\program files\Spyware Doctor\Tools\swpg.dat
- - - - - - - > 'csrss.exe'(732)
c:\program files\Spyware Doctor\Tools\swpg.dat
.
Completion time: 2009-03-19 12:47:19
ComboFix-quarantined-files.txt 2009-03-19 12:47:16
Pre-Run: 312,973,623,296 bytes free
Post-Run: 312,975,921,152 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
207
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
