virtumonde--still there
- Thread starter perineum
- Start date
ESET log
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2766 (20080104)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=a7f08374f2c31948b3fc055621eb1d66
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-05 06:45:33
# local_time=2008-01-05 12:45:33 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=499771
# found=2
# scan_time=4841
C:\QooBox\Quarantine\catchme2007-12-30_102617.15.zip Win32/Adware.Virtumonde.FP application 9F0BAA88099723C5BA614737C5B7FC47
C:\QooBox\Quarantine\catchme2007-12-30_102617.15.zip »ZIP »mllmn.dll Win32/Adware.Virtumonde.FP application 00000000000000000000000000000000
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2766 (20080104)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=a7f08374f2c31948b3fc055621eb1d66
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-05 06:45:33
# local_time=2008-01-05 12:45:33 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=499771
# found=2
# scan_time=4841
C:\QooBox\Quarantine\catchme2007-12-30_102617.15.zip Win32/Adware.Virtumonde.FP application 9F0BAA88099723C5BA614737C5B7FC47
C:\QooBox\Quarantine\catchme2007-12-30_102617.15.zip »ZIP »mllmn.dll Win32/Adware.Virtumonde.FP application 00000000000000000000000000000000
ken545
Emeritus-Security Expert
Hello,
Again drag Combofix to the trash, a new version was just posted . What you want to do is shut down any Anti spyware or Anti Virus programs for running.
I am looking at Ad Aware and Kaspersky.
You need to Disable AdWatch in Ad-Aware Se Personal as it can stop our fix.
To Disable AdWatch
You should be able to right click on Kaspersky in the System Tray and shut it down or disable it
C:\QooBox <-- Delete this folder
Download ComboFix from Here or Here to your Desktop.
Check the version number , it should be 08-01-05.8.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Again drag Combofix to the trash, a new version was just posted . What you want to do is shut down any Anti spyware or Anti Virus programs for running.
I am looking at Ad Aware and Kaspersky.
You need to Disable AdWatch in Ad-Aware Se Personal as it can stop our fix.
To Disable AdWatch
- Open Ad-Aware SE Personal
- Go to the AdWatch User Interface.
- Go to Tools and Preferences.
- At the bottom of the screen you will see 2 options
- Active: This will turn Ad-Watch On\Off without closing it.
- Automatic: Suspicious activity will be blocked automatically
- Uncheck both options.
You should be able to right click on Kaspersky in the System Tray and shut it down or disable it
C:\QooBox <-- Delete this folder
Download ComboFix from Here or Here to your Desktop.
Check the version number , it should be 08-01-05.8.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:07 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 7468 bytes
Scan saved at 4:10:07 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 7468 bytes
ComboFix 08-01-04.1 - Admin 2008-01-05 15:53:14.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.570 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\nscdapyd.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\nscdapyd.ini
.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.
2008-01-05 15:53 . 2007-12-30 10:08 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-05 15:53 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-05 11:23 . 2008-01-05 12:45 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-05 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-05 15:58 16,056,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-05 15:58 103,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-05 11:08 78,884 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-05 11:08 11,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 16:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime
R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 15:59:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-05 16:00:35
ComboFix-quarantined-files.txt 2008-01-05 22:00:28
ComboFix2.txt 2008-01-05 17:17:39
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.570 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\nscdapyd.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\nscdapyd.ini
.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.
2008-01-05 15:53 . 2007-12-30 10:08 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-05 15:53 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-05 11:23 . 2008-01-05 12:45 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-05 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-05 15:58 16,056,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-05 15:58 103,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-05 11:08 78,884 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-05 11:08 11,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 16:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime
R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 15:59:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-05 16:00:35
ComboFix-quarantined-files.txt 2008-01-05 22:00:28
ComboFix2.txt 2008-01-05 17:17:39
ken545
Emeritus-Security Expert
By Jove...you've done it :bigthumb:
C:\Program Files\QuickTime <-- Delete this entire folder, if you use it just redownload and install it.
If you can be seated where I am and saw all the new threats coming down the pike, it would make you lose the rest of your hair, some threats are so bad that the only alternative is to reformat and install a fresh copy of windows. You don't want to do that do you ????????
You need to be extremely careful on what you download and the email attachments that you open, also you need to be more careful of the sites you access. Porn and File Sharing are disasters waiting to happen.
How is your system running now ?????
C:\Program Files\QuickTime <-- Delete this entire folder, if you use it just redownload and install it.
If you can be seated where I am and saw all the new threats coming down the pike, it would make you lose the rest of your hair, some threats are so bad that the only alternative is to reformat and install a fresh copy of windows. You don't want to do that do you ????????
You need to be extremely careful on what you download and the email attachments that you open, also you need to be more careful of the sites you access. Porn and File Sharing are disasters waiting to happen.
How is your system running now ?????
Last edited:
Everything is running great. Kaspersky isn't popping up when I get to the desktop. I really did not want to reinstall but I was afraid I was going to have to go there. I could just imagine how much worse it is going to get. At least we got people like you and others who are putting up the good fight. Thank you so much for your help!!
ken545
Emeritus-Security Expert
Your very welcome :bigthumb:
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Glad we could help
Safe Surfn
Ken
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.- Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
- WhattheTech
- TonyKlein CastleCops
- Grinler BleepingComputer
- GeeksTo Go
- Dslreports
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
- Spybot Search and Destroy 1.5
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
- Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
- Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
- IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Firefox 2.0.0.6 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
- Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken