|
|
#11
25th Nov 2008, 19:45
| |||
| |||
| Here is a SDFix report after scan. When running SDFix, I got an message saying "VDM IPX/SPX support could not be found. Will get a usb key tomorrow to transfer the combofix unless I find it somewhere else tonight. Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-25 21:40:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... disk error: C:\WINDOWS\system32\config\system, 0 scanning hidden registry entries ... disk error: C:\WINDOWS\system32\config\software, 0 disk error: C:\Documents and Settings\JohnR\ntuser.dat, 0 scanning hidden files ... disk error: C:\WINDOWS\ please note that you need administrator rights to perform deep scan Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\\Program Files\\ABC\\abc.exe"="C:\\Program Files\\ABC\\abc.exe:*:Enabled:abc" "C:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\UPDATE.EXE"="C:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\UPDATE.EXE:*:Enabled:UPDATE" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Documents and Settings\\JohnR\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\JohnR\\Desktop\\utorrent.exe:*:Enabled:æTorrent" "C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule" "C:\\Program Files\\HTC\\Aces High II\\aceshigh.exe"="C:\\Program Files\\HTC\\Aces High II\\aceshigh.exe:*:Disabled:aceshigh" "C:\\Program Files\\Steam\\steamapps\\phatman69\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\phatman69\\counter-strike source\\hl2.exe:*:Disabled:hl2" "C:\\Program Files\\TradeFreedom\\TradeFreedomEdge\\viewer.exe"="C:\\Program Files\\TradeFreedom\\TradeFreedomEdge\\viewer.exe:*:Enabled:viewer" "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019" "C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windowsr NetMeetingr" "C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer" "C:\\Program Files\\Steam\\steam.exe"="C:\\Program Files\\Steam\\steam.exe:*:Enabled:Steam" "C:\\Westwood\\Renegade\\patchget.dat"="C:\\Westwood\\Renegade\\patchget.dat:*:Enabled:patchgrabber" "C:\\Program Files\\VIA\\RAID\\raid_tool.exe"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe:*:Enabled:VIA RAID TOOL" "C:\\Program Files\\Grisoft\\AVG7\\avgw.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgw.exe:*:Enabled:AVG Test Center" "C:\\WINDOWS\\system32\\ac3config.exe"="C:\\WINDOWS\\system32\\ac3config.exe:*:Enabled:AC3 Filter" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft (R) HTML Application host" "C:\\Program Files\\Steam\\steamapps\\phatman69\\team fortress classic\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\phatman69\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher" "D:\\IGN Beta Event\\ConanPatcher.exe"="D:\\IGN Beta Event\\ConanPatcher.exe:*:Enabled:Age of Conan" "C:\\Westwood\\Renegade\\Renegade.exe"="C:\\Westwood\\Renegade\\Renegade.exe:*:Disabled:Renegade" "C:\\Westwood\\Renegade\\Game.exe"="C:\\Westwood\\Renegade\\Game.exe:*:Disabled:Renegade" "C:\\UnrealTournament\\System\\UnrealTournament.icd"="C:\\UnrealTournament\\System\\UnrealTournament.icd:*:Disabled:UnrealTournament" "C:\\UnrealTournament\\System\\UnrealTournament.exe"="C:\\UnrealTournament\\System\\UnrealTournament.exe:*:Disabled:UnrealTournament" "C:\\Program Files\\CRS\\Battleground Europe\\WW2_x86.exe"="C:\\Program Files\\CRS\\Battleground Europe\\WW2_x86.exe:*:Disabled:WW2" "C:\\Program Files\\CRS\\Battleground Europe\\WW2_sse2.exe"="C:\\Program Files\\CRS\\Battleground Europe\\WW2_sse2.exe:*:Disabled:WW2" "C:\\Program Files\\The All-Seeing Eye\\eye.exe"="C:\\Program Files\\The All-Seeing Eye\\eye.exe:*:Disabled:Yahoo! All-Seeing Eye" "C:\\Documents and Settings\\JohnR\\Local Settings\\Temp\\Rar$EX05.969\\eye.exe"="C:\\Documents and Settings\\JohnR\\Local Settings\\Temp\\Rar$EX05.969\\eye.exe:*:Disabled:Yahoo! All-Seeing Eye" "C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test" "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb" "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray" "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client" "C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Enabled:MUZ AOD APP player" "C:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\Jointops.exe"="C:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\Jointops.exe:*:Disabled:Jointops" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" "C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager" "C:\\Program Files\\Ventrilo\\Ventrilo.exe"="C:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "D:\\Steam\\steamapps\\phatman69\\counter-strike source\\hl2.exe"="D:\\Steam\\steamapps\\phatman69\\counter-strike source\\hl2.exe:*:Enabled:hl2" "C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player" "D:\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"="D:\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe:*:Enabled:left4dead" "D:\\Steam\\steam.exe"="D:\\Steam\\steam.exe:*:Enabled:Steam" "D:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"="D:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe:*:Enabled:left4dead" "C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App" "D:\\Electronic Arts\\Warhammer Online - Age of Reckoning\\warpatch.exe"="D:\\Electronic Arts\\Warhammer Online - Age of Reckoning\\warpatch.exe:*:Disabled:Warhammer Online - Age of Reckoning" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files : Files with Hidden Attributes : Thu 2 Aug 2007 397,312 ...H. --- "C:\~WRL0068.tmp" Thu 2 Aug 2007 380,928 ...H. --- "C:\~WRL0289.tmp" Thu 2 Aug 2007 377,856 ...H. --- "C:\~WRL0484.tmp" Thu 2 Aug 2007 381,952 ...H. --- "C:\~WRL1774.tmp" Thu 2 Aug 2007 387,584 ...H. --- "C:\~WRL2269.tmp" Thu 2 Aug 2007 382,976 ...H. --- "C:\~WRL2470.tmp" Thu 2 Aug 2007 393,728 ...H. --- "C:\~WRL3107.tmp" Thu 2 Aug 2007 382,464 ...H. --- "C:\~WRL3790.tmp" Wed 3 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Tue 25 Nov 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe" Wed 4 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Fri 28 Dec 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~134B.tmp" Tue 1 Apr 2008 211,968 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~135.tmp" Fri 7 Dec 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~13A.tmp" Tue 5 Aug 2008 243,712 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~13F.tmp" Fri 7 Dec 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~1573.tmp" Fri 14 Dec 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~1821.tmp" Sat 11 Aug 2007 126,976 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~1B5.tmp" Tue 13 Nov 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~1CEE.tmp" Thu 17 Jan 2008 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~1DC.tmp" Tue 25 Mar 2008 211,968 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~20F.tmp" Wed 15 Aug 2007 126,976 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~26C1.tmp" Tue 15 Jan 2008 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~29C6.tmp" Wed 21 Nov 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~2AE9.tmp" Sun 6 Jan 2008 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~2DC4.tmp" Sun 21 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~33A.tmp" Tue 13 Mar 2007 122,880 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~34.tmp" Fri 20 Jul 2007 126,976 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~36.tmp" Tue 30 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~3C7C.tmp" Fri 19 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~3CE8.tmp" Mon 10 Dec 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~40F.tmp" Fri 20 Jul 2007 126,976 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~5492.tmp" Sun 10 Feb 2008 209,920 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~5A.tmp" Wed 9 Jan 2008 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~7D3.tmp" Wed 28 Nov 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~839.tmp" Fri 9 Nov 2007 197,120 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~A8F.tmp" Wed 7 Feb 2007 122,880 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~AD.tmp" Wed 12 Mar 2008 209,408 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~C4.tmp" Tue 18 Sep 2007 215,040 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~D6C.tmp" Mon 6 Aug 2007 126,976 A..H. --- "C:\Documents and Settings\JohnR\Local Settings\Temp\~E5.tmp" Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe" Mon 26 Feb 2007 28,672 ...H. --- "C:\Documents and Settings\JohnR\Desktop\carleton\napolitics\~WRL0001.tmp" Mon 26 Feb 2007 30,208 ...H. --- "C:\Documents and Settings\JohnR\Desktop\carleton\napolitics\~WRL0303.tmp" Mon 26 Feb 2007 29,184 ...H. --- "C:\Documents and Settings\JohnR\Desktop\carleton\napolitics\~WRL2327.tmp" Mon 26 Feb 2007 30,720 ...H. --- "C:\Documents and Settings\JohnR\Desktop\carleton\napolitics\~WRL3561.tmp" Tue 1 Apr 2008 41,472 ...H. --- "C:\Documents and Settings\JohnR\Desktop\carleton\statistics2008\~WRL0853.tmp" Tue 1 Apr 2008 41,472 ...H. --- "C:\Documents and Settings\JohnR\Desktop\carleton\statistics2008\~WRL3622.tmp" Finished! |
|
#12
25th Nov 2008, 19:56
| |||
| |||
| "JohnR" - 2008-11-25 21:52:59 Service Pack 3 ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\JohnR\Desktop\anitvirus\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) "C:\WINDOWS\system32\~.exe" ((((((((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))))) 2008-11-25 21:40 <DIR> d-------- C:\DOCUME~1\JohnR\APPLIC~1\WinRAR 2008-11-25 21:34 <DIR> d-------- C:\WINDOWS\ERUNT 2008-11-25 18:54 <DIR> d-------- C:\Program Files\BillP Studios 2008-11-25 18:54 <DIR> d-------- C:\DOCUME~1\JohnR\APPLIC~1\WinPatrol 2008-11-25 18:44 <DIR> d-------- C:\Program Files\Lavasoft 2008-11-25 18:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2008-11-25 18:41 26,112 --a------ C:\WINDOWS\system32\stus.exe 2008-11-25 18:26 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2008-11-25 18:18 <DIR> d-------- C:\WINDOWS\CSC 2008-11-25 17:58 <DIR> d-------- C:\DOCUME~1\JohnR\APPLIC~1\MSN6 2008-11-25 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6 2008-11-25 15:58 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2008-11-25 15:19 <DIR> d-------- C:\Program Files\CCleaner 2008-11-25 14:49 63,488 --a------ C:\WINDOWS\system32\smwin32.dll 2008-11-25 14:49 14,848 --a------ C:\WINDOWS\system32\getfn32.dll 2008-11-25 11:53 0 --a------ C:\WINDOWS\system32\wertyu.dll 2008-11-25 11:53 0 --a------ C:\WINDOWS\system32\av.exe 2008-11-24 19:50 89,615 --a------ C:\WINDOWS\system32\uesiuqcr.exe 2008-11-24 19:45 89,103 --a------ C:\WINDOWS\system32\av.dat 2008-11-10 10:41 <DIR> d-------- C:\Program Files\MSECache 2008-11-02 12:05 <DIR> d-------- C:\WINDOWS\048298C9A4D3490B9FF9AB023A9238F3.TMP (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2008-11-25 23:43:37 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-11-25 23:41:41 8,704 ----a-w C:\WINDOWS\system32\userinit.exe 2008-11-25 23:38:03 -------- d-----w C:\Program Files\SpywareBlaster 2008-11-25 20:16:52 -------- d-----w C:\Program Files\VideoLAN 2008-11-17 15:27:07 -------- d-----w C:\DOCUME~1\JohnR\APPLIC~1\IGN_DLM 2008-11-17 02:12:13 -------- d-----w C:\DOCUME~1\JohnR\APPLIC~1\uTorrent 2008-11-11 00:01:44 -------- d--h--w C:\Program Files\InstallShield Installation Information 2008-10-24 11:21:09 455,296 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys 2008-10-24 04:11:05 -------- d-----w C:\Program Files\MSN Messenger 2008-10-22 02:14:36 -------- d-----w C:\Program Files\Messenger 2008-10-22 02:10:23 -------- d-----w C:\Program Files\Movie Maker 2008-10-22 02:07:49 -------- d-----w C:\Program Files\Windows NT 2008-10-16 19:13:40 202,776 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-10-16 19:13:40 1,809,944 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-10-16 19:12:22 323,608 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-10-16 19:12:20 561,688 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-10-16 19:09:44 92,696 ----a-w C:\WINDOWS\system32\cdm.dll 2008-10-16 19:09:44 51,224 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-10-16 19:09:44 43,544 ----a-w C:\WINDOWS\system32\wups2.dll 2008-10-16 19:08:58 34,328 ----a-w C:\WINDOWS\system32\wups.dll 2008-10-16 16:10:24 -------- d-----w C:\Program Files\Common Files\Real 2008-10-16 16:10:24 -------- d-----w C:\DOCUME~1\JohnR\APPLIC~1\Real 2008-10-14 19:54:38 -------- d-----w C:\Program Files\Winamp 2008-10-14 17:34:29 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll 2008-10-14 17:34:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll 2008-10-14 16:57:03 -------- d-----w C:\Program Files\K-Lite Codec Pack 2008-10-13 19:14:36 -------- d-----w C:\DOCUME~1\JohnR\APPLIC~1\Ventrilo 2008-10-13 19:11:32 -------- d-----w C:\Program Files\Ventrilo 2008-10-09 21:31:20 -------- d-----w C:\Program Files\Windows Media Connect 2 2008-09-30 21:43:34 1,286,152 ----a-w C:\WINDOWS\system32\msxml4.dll 2008-09-17 18:36:03 296 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg 2008-09-15 12:12:56 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-10 01:14:56 1,307,648 ------w C:\WINDOWS\system32\msxml6.dll 2008-09-08 07:22:20 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll 2008-09-04 17:15:04 1,106,944 ----a-w C:\WINDOWS\system32\msxml3.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 19:38] {21A237A4-3A94-4198-911D-647ED2263DD2}=C:\WINDOWS\system32\getfn32.dll [2008-11-25 21:38] {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}=C:\Program Files\AVG\AVG8\avgssie.dll [2008-09-08 02:22] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 03:27] {9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 19:33] {A057A204-BACC-4D26-9990-79A187E2698E}=C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-09-08 02:22] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 11:20] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-28 20:00] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-08 17:04] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 16:28] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18] "D-Link AirPlus XtremeG DWL-G520"="C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe" [2007-06-21 13:43] "ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 10:49] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 08:55] "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-01 23:15] "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 10:52] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-01-20 21:57] "SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2006-03-13 09:52] "Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2006-02-27 14:15] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12] "igndlm.exe"="D:\Download Manager\DLM.exe" [2008-08-01 15:36] "EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-06-13 17:27] "ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-10-23 13:34] "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\WZC-Killer REG_SZ c:windowssystem32net.exe"="" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe," [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\a456a8f5382] C:\WINDOWS\system32\__c00A51C0.dat [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] %SystemRoot%\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001F016] C:\WINDOWS\system32\__c001F016.dat [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 nwprovau [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] eapsvcs eaphost dot3svc dot3svc HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* napagent [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ba71dc7-5afe-11db-b43f-806d6172696f}] AutoRun\command- D:\setupSNK.exe *Newly Created Service* - CATCHME *Newly Created Service* - UNLOCKERDRIVER5 Contents of the 'Scheduled Tasks' folder 2008-11-26 02:43:00 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job ******************************************************************** catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-25 21:53:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... disk error: C:\WINDOWS\ please note that you need administrator rights to perform deep scan ******************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys] "imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys" Completion time: 2008-11-25 21:54:27 C:\ComboFix-quarantined-files.txt ... 2008-11-25 21:54 --- E O F --- |
|
#13
25th Nov 2008, 21:04
| |||
| |||
| I was finally able to get rid of the immediate problems with malwarebytes. It appears to be the SHeur2.PL Trojan. AVG resident shield keeps picking it up and the file name infected is C:WINDOWS\SYSTEM32\USERINIT.EXE Problem is its still active somewhere in the background trying to open itself but winpatrol and AVG keeps blocking it. |
|
#14
26th Nov 2008, 15:16
| ||||||||||||
| ||||||||||||
| Please do not run any tools or scanners or anything unless I ask you to do so. It makes it very difficult for me to follow exactly where we are in terms of the infections. It also means I may end up providing a fix that does more harm than good. If you are happy to continue with your own fix, then that's fine - I won't provide any more help.
__________________
I shall return shortly with further instructions. My System: It's all mine...
|
|
#15
26th Nov 2008, 15:49
| |||
| |||
| Hi Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Combofix
Code: File::
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\getfn32.dll
C:\WINDOWS\system32\wertyu.dll
C:\WINDOWS\system32\av.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\system32\av.dat
C:\WINDOWS\system32\drivers\TDSSmqlt .sys
C:\WINDOWS\system32\__c00A51C0.dat
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21A237A4-3A94-4198-911D-647ED2263DD2}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="="C:\WINDOWS\system32\userinit.exe”
[-HKEY_LOCAL_MACHINE\software\microsoft\windows t\currentversion\winlogon\notify\a456a8f5382]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T DSSserv.sys]
 Save this as CFScript.txt, in the same location as ComboFix.exe  Refering to the picture above, drag CFScript onto ComboFix.exe. When finished, it will produce a log for you at "C:\ComboFix.txt" Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Please post the log C:\ComboFix.txt for further review. |
 |
 |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Trojan.vundo.h infection please help HJT Log attached | Missangel8 | Virus, Spyware & Security | 23 | 6th Jan 2009 21:34 |
| Malware Virus/Trojan Blocks IE Images! (HELP) | eslfish | Virus, Spyware & Security | 42 | 2nd Jan 2009 18:58 |
| Trojan.vundo.h , trojan.agent , adware.mirar + MORE! :( | sillyarfer | Virus, Spyware & Security | 1 | 14th Dec 2008 09:59 |
| Trojan infection | mcbee | Virus, Spyware & Security | 2 | 24th Nov 2008 21:44 |
| HELP PLEASE!!!!! infection problems | antbann | Virus, Spyware & Security | 20 | 1st Nov 2007 21:45 |
| Thread Tools | |
| |
