lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Recycler Virus

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
Page 4 of 5 123 4 5
 
Thread Tools
  #31  
Old 9th Dec 2008, 18:54
Member Group
  
hi evilfantasy here is the combofix log:
ComboFix 08-12-07.04 - X80le 2008-12-10 9:39:04.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1115 [GMT 8:00]
Running from: c:\users\X80le\Desktop\ComboFix.exe
Command switches used :: c:\users\X80le\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-10 09:44 . 2008-12-10 09:44 45,056 --a------ c:\windows\System32\acovcnt.exe
2008-12-09 09:16 . 2008-10-17 05:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-09 09:16 . 2008-10-17 04:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-09 09:16 . 2008-10-17 05:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-09 09:16 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-09 09:16 . 2008-10-17 04:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-09 09:16 . 2008-10-17 05:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-09 09:16 . 2008-10-17 05:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-09 09:16 . 2008-10-17 05:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-09 09:16 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-12-06 00:25 . 2008-12-06 00:25 <DIR> d-------- c:\program files\CCleaner
2008-11-22 11:58 . 2008-11-22 11:58 <DIR> d-------- c:\users\X80le\AppData\Roaming\Malwarebytes
2008-11-22 11:58 . 2008-11-22 11:58 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-22 11:58 . 2008-12-06 00:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-22 11:58 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-22 11:58 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-13 09:56 . 2008-11-13 11:20 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-13 09:55 . 2008-11-13 09:55 <DIR> d-------- C:\nup
2008-11-13 09:51 . 2008-09-05 13:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-13 09:51 . 2008-08-27 09:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-13 09:50 . 2008-09-10 11:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-11 16:18 . 2008-11-11 16:18 <DIR> d-------- c:\program files\AVG
2008-11-10 01:02 . 2008-11-10 01:02 <DIR> d--h----- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-10 01:10 --------- d-----w c:\programdata\Symantec
2008-11-22 18:07 --------- d-----w c:\users\X80le\AppData\Roaming\CyberLink
2008-11-13 03:29 --------- d-----w c:\programdata\Microsoft Help
2008-11-11 08:32 --------- d-----w c:\programdata\avg8
2008-11-01 02:11 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_ 00_00.Wdf
2008-11-01 02:11 --------- d-----w c:\users\X80le\AppData\Roaming\Canon
2008-11-01 01:47 --------- d-----w c:\programdata\ZoomBrowser
2008-11-01 01:47 --------- d-----w c:\program files\Canon
2008-11-01 01:45 --------- d-----w c:\program files\Common Files\Canon
2008-10-29 02:46 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-15 02:00 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BC F6}
2008-10-15 02:00 --------- d-----w c:\program files\iTunes
2008-10-15 01:59 --------- d-----w c:\program files\iPod
2008-10-02 19:49 19,778 ----a-w c:\windows\E220AutoRunLog.tmp
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
2008-09-08 03:06 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\History\History.IE5\index.da t
2008-09-08 03:06 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-09-08 03:06 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Ro aming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-09_10.31.09.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-09 02:29:35 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-10 01:44:16 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-09 02:29:40 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.D AT
+ 2008-12-10 01:44:16 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.D AT
+ 2008-12-10 01:44:16 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.d at.LOG1
- 2008-12-09 01:54:32 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2008-12-10 01:08:55 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2008-12-09 01:54:32 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-10 01:08:55 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-09 01:54:32 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-10 01:08:55 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-09 02:07:35 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-10 00:58:13 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-09 02:07:35 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-10 00:58:13 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2008-12-09 02:11:41 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-12-09 03:15:15 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-12-09 02:03:11 9,012 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4281483017-775441335-2446592685-1000_UserData.bin
+ 2008-12-10 00:53:28 9,012 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4281483017-775441335-2446592685-1000_UserData.bin
- 2008-12-09 02:03:11 85,838 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2008-12-10 00:53:28 85,838 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
- 2008-12-09 02:03:09 43,012 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2008-12-10 00:53:26 43,012 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\AD SMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 08:08 143360 --a------ c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"Google Update"="c:\users\X80le\AppData\Local\Google\Updat e\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IM ESC\IMSCMIG.EXE" [2006-10-27 32560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALUAlert]
--a------ 2007-08-23 20:34 152952 c:\program files\Symantec\LiveUpdate\ALUNOTIFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 20:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2008-03-18 08:59 2289664 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{2573AF6E-4420-460D-B360-47E6FFDFB35A}"= c:\program files\ASUSTek\ASUSDVD\PowerDVD.EXE:CyberLink PowerDVD
"{1A063077-ABC5-43E9-98FC-D09DFDB73C4E}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C910D8D9-91DC-49D2-9BAA-6E4029495793}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{26A2DECA-A4B6-49F3-8060-4070E543505A}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3E7312D1-5E0F-44BD-85FE-28C0F0C2EA2F}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A4988C1A-0A82-4B48-BD6E-F8A6D44F588C}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{CD143528-E032-4B6C-9493-32BC83551EFA}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{F07D88BB-0FE5-444E-83E9-31DCD7DC787E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{33DE57E4-57F4-4CB4-A9A5-F15ADF37EBE2}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{51308F0D-4B2A-4620-A12A-0D8D43A40ACA}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B4DC49C8-02CE-43D4-ADB8-6246E348DC80}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FD3A1F1E-DAEF-4799-950F-CEE6813C5F41}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{926071A3-257A-44E0-B009-3073F4BA73E7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B8E3D35D-BFBD-4111-89E0-8BE5F3C72EB7}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{1C8CB5FC-4EB4-4322-9963-DDFE8469D29A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5AE2D551-9A5B-42DC-AA03-A48D083873E6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\ ipsdefs\20081204.001\IDSvix86.sys [2008-12-09 270384]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows \system32\drivers\psd.sys [2007-01-25 39080]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\pro gram files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMN DISV.SYS [2008-06-13 41008]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\CO H_Mon.sys [2007-05-29 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{1f48810a-8fd8-11dd-9d30-001fc6eaceab}]
\shell\Auto\command - setup.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cacd1a7a-8dbf-11dd-bd67-001fc6eaceab}]
\shell\AutoRun\command - F:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cacd1a85-8dbf-11dd-bd67-001fc6eaceab}]
\shell\AutoRun\command - F:\VMC_PBStarter.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\X80le\AppData\Local\Google\Update\GoogleU pdate.exe [2008-09-04 10:34]

2008-11-10 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - X80le.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\users\X80le\AppData\Roaming\Mozilla\Firefox\Pro files\7tdoti5o.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\users\X80le\AppData\Local\Google\Update\1.2.131 .27\npGoogleOneClick6.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 09:44:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\ADSM_PData_0150

scan completed successfully
hidden files: 1

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2564)
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\IFXSPMGT.exe
c:\windows\System32\IFXTCS.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\IfxPsdSv.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\conime.exe
c:\program files\ATK Hotkey\HControl.exe
c:\program files\ATKOSD2\ATKOSD2.exe
c:\program files\Wireless Console 2\wcourier.exe
c:\program files\ASUS\Splendid\ACMON.exe
c:\program files\P4G\BatteryLife.exe
c:\windows\System32\ACEngSvr.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\ATK Hotkey\KBFiltr.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\dllhost.exe
.
************************************************** ************************
.
Completion time: 2008-12-10 9:48:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 01:48:19
ComboFix2.txt 2008-12-09 02:32:17

Pre-Run: 47,261,466,624 bytes free
Post-Run: 47,347,851,264 bytes free

246 --- E O F --- 2008-12-09 01:55:23
  #32  
Old 9th Dec 2008, 18:56
Member Group
  
here is the hjt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:40 AM, on 12/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\CF14834.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\X80le\AppData\Local\Google\Update\GoogleU pdate.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\ComboFix\handle.cfexe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG. EXE /INSTALL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\X80le\AppData\Local\Google\Update\Google Update.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5251 bytes


BTW i can still see the recycler folder as a hidden file however when i try to hover the mouse it says that it is 0 Bytes and folder empty..do i delete it?
  #33  
Old 9th Dec 2008, 19:04
Moderator Group
  
Suspicious files to scan

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.
Code:
c:\windows\System32\acovcnt.exe
2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.
__________________
  #34  
Old 10th Dec 2008, 02:42
Member Group
  
VirSCAN.org Scanned Report :
Scanned time : 2008/12/07 07:48:14 (PHT)
Scanner results: All Scanners reported not find malware!
File Name : acovcnt.exe
File Size : 45056 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 6bcaf46e2b7fa9ace92b4d39f3037c5c
SHA1 : 6d5a81e3cf59832d73f28d6e87f51d073c3e4095
Online report : http://virscan.org/report/e7d17c1e90...91e50f68e.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.27 20081207050136 2008-12-07 3.12 -
AhnLab V3 2008.12.06.01 2008.12.06 2008-12-06 1.05 -
AntiVir 7.9.0.42 7.1.0.195 2008-12-05 1.62 -
Antiy 2.0.18 20081206.1796347 2008-12-06 0.12 -
Arcavir 1.0.5 200811291125 2008-11-29 1.23 -
Authentium 5.1.1 200812061130 2008-12-06 1.06 -
AVAST! 3.0.1 081206-0 2008-12-06 0.75 -
AVG 7.5.52.442 270.9.15/1834 2008-12-06 1.76 -
BitDefender 7.81008.2333859 7.22350 2008-12-07 2.17 -
CA (VET) 9.0.0.143 31.6.6246 2008-12-06 5.32 -
ClamAV 0.94.1 8729 2008-12-06 0.02 -
Comodo 3.0 698 2008-12-06 0.80 -
CP Secure 1.1.0.715 2008.12.05 2008-12-05 5.99 -
Dr.Web 4.44.0.9170 2008.12.06 2008-12-06 3.70 -
ewido 4.0.0.2 2008.12.06 2008-12-06 3.18 -
F-Prot 4.4.4.56 20081206 2008-12-06 1.06 -
F-Secure 5.51.6100 2008.12.05.10 2008-12-05 3.85 -
Fortinet 2.81-3.117 9.787 2008-12-06 0.18 -
GData 19.1817/19.136 20081206 2008-12-06 2.76 -
ViRobot 20081206 2008.12.06 2008-12-06 0.40 -
Ikarus T3.1.01.45 2008.12.06.71966 2008-12-06 3.81 -
JiangMin 11.0.706 2008.12.06 2008-12-06 1.38 -
Kaspersky 5.5.10 2008.12.06 2008-12-06 0.06 -
KingSoft 2008.9.8.18 2008.12.6.22 2008-12-06 0.62 -
McAfee 5.3.00 5456 2008-12-06 2.57 -
Microsoft 1.4205 2008.12.06 2008-12-06 4.38 -
mks_vir 2.01 2008.12.07 2008-12-07 2.67 -
Norman 5.93.01 5.93.00 2008-12-05 5.60 -
Panda 9.05.01 2008.12.06 2008-12-06 2.72 -
Trend Micro 8.700-1004 5.694.22 2008-12-06 0.04 -
Quick Heal 10.00 2008.12.06 2008-12-06 0.89 -
Rising 20.0 21.06.52.00 2008-12-06 0.82 -
Sophos 2.81.2 4.36 2008-12-07 1.97 -
Sunbelt 4674 4674 2008-11-04 0.62 -
Symantec 1.3.0.24 20081206.003 2008-12-06 0.05 -
nProtect 2008-12-05.00 2742544 2008-12-05 3.47 -
The Hacker 6.3.1.2 v00179 2008-12-06 0.47 -
VBA32 3.12.8.10 20081206.1346 2008-12-06 1.48 -
VirusBuster 4.5.11.10 10.94.16/729937 2008-12-05 0.94 -
  #35  
Old 10th Dec 2008, 02:49
Member Group
  
the folder is still there and i have already deleted it manually and then it reappeared again. i was wondering about this line in the combofix

HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cacd1a7a-8dbf-11dd-bd67-001fc6eaceab}]
\shell\AutoRun\command - F:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cacd1a85-8dbf-11dd-bd67-001fc6eaceab}]
\shell\AutoRun\command - F:\VMC_PBStarter.exe

i dont have an F: drive
  #36  
Old 10th Dec 2008, 13:05
Moderator Group
  
I'm not sure what that is and can't find anything saying it's malicious, but we can remove it if you don't know what it's for. It's an autorun for a flash drive I think.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacd1a7a-8dbf-11dd-bd67-001fc6eaceab}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacd1a85-8dbf-11dd-bd67-001fc6eaceab}]
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Quote:
the folder is still there and i have already deleted it manually and then it reappeared again.
What folder?
__________________
  #37  
Old 10th Dec 2008, 13:16
Member Group
  
how about this one also:
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\VMC_PBStarter.exedo i include it in the REGEDIT4?
the folder that i tried to delete was the recycler folder both on C and D drive
  #38  
Old 10th Dec 2008, 13:19
Moderator Group
  
Here ya go.

Code:
REGEDIT4 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacd1a7a-8dbf-11dd-bd67-001fc6eaceab}] 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cacd1a85-8dbf-11dd-bd67-001fc6eaceab}] 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
__________________
  #39  
Old 10th Dec 2008, 16:16
Member Group
  
http://www.computer-juice.com/forums...ecycler-15534/

i found a topic here about recycle bin and recycler...is the recycler base on the screen shot that i posted is the same that it is being discussed here? coz as far as i can remember there is no recycler folder and base on the detail it was created november.. i bought the laptop october so there should no need for it to be there right?
  #40  
Old 10th Dec 2008, 16:52
Moderator Group
  
There is a Resycler virus, different spelling.

This next scan will find anything else that may be there.

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe and then click Start.
  • An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now Click OK to start.
    • This is a short scan that will scan the files currently running in memory.
    • If or when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis and click OK
  • Back at the main window, select the Complete scan button.
  • Then click the Green Arrow Start Scanning button on the right and the scan will start.
    • Click Yes to all if it asks if you want to cure/move any file(s).
  • When the scan is done.
  • In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  • Copy and paste that log in the next reply
__________________
Reply
Page 4 of 5 123 4 5

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.