Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qwerty12.exe Couldnt Be Deleted With Sas;hijack-log After Full Scan With Sas


  • This topic is locked This topic is locked
2 replies to this topic

#1 niko86

niko86

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 16 July 2007 - 05:27 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:04:18, on 18.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Java\jre1.6.0_01\bin\jusched.exe
C:\Programme\Eset\nod32kui.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\Programme\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Winamp\winamp.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.174.2.4:8080
O1 - Hosts: 72.90.79.14 l2authd.lineage2.com #Universal Gaming L2 5kx, mega enchant
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6040884f-39c0-4d29-b574-91331b16a3aa} - C:\WINDOWS\system32\kbdomp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programme\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: MemTurbo.lnk = C:\Programme\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: MSCREATE.DIR
O4 - Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: MemTurbo.lnk = C:\Programme\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Отправить в 'Ссылки Интернета' - C:\WINDOWS\system\sendurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128198124517
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\mljjhhf.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: kbdomp - C:\WINDOWS\SYSTEM32\kbdomp.dll
O23 - Service: Gatewaydienst auf Anwendungsebene (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programme\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe

--
End of file - 6659 bytes

Edited by niko86, 17 July 2007 - 05:04 PM.


BC AdBot (Login to Remove)

 


#2 niko86

niko86
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 18 July 2007 - 06:36 PM

well, dudes. you tried to answer ASAP. well, thank you for trying this and for... nothing. and you told me not use my internet... whatever. when you need any info about how i've get rid of this bleep, just pm me.

still you would like to see this log:


"DonKapone" - 2007-07-19 1:11:55 - 07-07-17.8 - Service Pack 2 NTFS

ADS removed - system32: deleted 12 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\Hacdak.dll
C:\WINDOWS\system32\kbderf.dll
C:\WINDOWS\wvtrpq.dll
C:\WINDOWS\xxvsrr.dll
C:\WINDOWS\system32\awtqo.exe
C:\WINDOWS\system32\awvtu.exe
C:\WINDOWS\system32\gebcb.exe
C:\WINDOWS\system32\gebcc.exe
C:\WINDOWS\system32\gebcd.exe
C:\WINDOWS\system32\jkhhe.exe
C:\WINDOWS\system32\mllml.exe
C:\WINDOWS\system32\mllmm.exe
C:\WINDOWS\system32\pmkhg.exe
C:\WINDOWS\system32\pmnnn.exe
C:\WINDOWS\system32\vtstu.exe
C:\WINDOWS\system32\vtutr.exe
C:\WINDOWS\qprtvw.ini
C:\WINDOWS\rrsvxx.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOKUME~1\DONKAP~1\ANWEND~1\tmp3A1D.tmp.exe
C:\WINDOWS\system32\dne4f0ddbf.dat
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\tmpD7.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))


2007-07-19 01:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 00:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-18 16:43 7,168 --------- C:\WINDOWS\system32\48UMicro.dll
2007-07-18 16:43 45,056 --------- C:\WINDOWS\Getkey.dll
2007-07-18 16:43 18,120 --a------ C:\WINDOWS\system32\drivers\Artec48.sys
2007-07-18 16:43 167,936 --------- C:\WINDOWS\Ausba4.dll
2007-07-18 16:43 167,936 --------- C:\WINDOWS\A4.dll
2007-07-18 16:41 45,056 --a------ C:\WINDOWS\system32\Remove48U.exe
2007-07-18 16:39 57,856 -ra------ C:\WINDOWS\system32\gl.dll
2007-07-18 16:39 36,864 -ra------ C:\WINDOWS\system32\Vizmicro.dll
2007-07-18 16:39 26,112 -ra------ C:\WINDOWS\RunUnDrv.exe
2007-07-17 23:42 <DIR> d-------- C:\VundoFix Backups
2007-07-16 17:08 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-16 03:43 <DIR> d-------- C:\Programme\Trend Micro
2007-07-16 03:40 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2007-07-16 03:40 <DIR> d-------- C:\DOKUME~1\DONKAP~1\ANWEND~1\SUPERAntiSpyware.com
2007-07-16 03:40 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\SUPERAntiSpyware.com
2007-07-04 08:21 118,272 --a------ C:\WINDOWS\system32\SX5363S.DLL
2007-07-04 08:21 102,400 --a------ C:\WINDOWS\system32\RV32RTP.dll
2007-07-02 16:10 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-06-30 20:45 6 --a------ C:\WINDOWS\6816Exposure.dat
2007-06-30 20:45 4 --a------ C:\WINDOWS\6816Error.dat
2007-06-30 20:45 30,720 --a------ C:\WINDOWS\6816White12.dat
2007-06-30 20:45 30,720 --a------ C:\WINDOWS\6816Dark12.dat
2007-06-30 20:45 3 --a------ C:\WINDOWS\6816Offset.dat
2007-06-30 20:45 3 --a------ C:\WINDOWS\6816Gain.dat
2007-06-30 20:44 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-30 20:44 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-30 20:08 <DIR> d-------- C:\ScanPanel
2007-06-30 12:20 <DIR> d-------- C:\DOKUME~1\DONKAP~1\ANWEND~1\Mount&Blade
2007-06-30 11:24 <DIR> d-------- C:\Programme\IrfanView
2007-06-29 23:48 2,855 --a------ C:\WINDOWS\system32\mem.PIF
2007-06-27 15:16 <DIR> d-------- C:\Programme\ReflexiveArcade


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-18 14:43:08 -------- d--h--w C:\Programme\InstallShield Installation Information
2007-07-16 01:39:51 -------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2007-07-06 19:39:09 -------- d-----w C:\Programme\Warcraft III
2007-06-30 14:18:53 -------- d-----w C:\Programme\ArtMoney
2007-06-30 10:52:29 -------- d-----w C:\DOKUME~1\DONKAP~1\ANWEND~1\Skype
2007-06-29 15:54:37 -------- d-----w C:\Programme\Winamp
2007-06-11 14:23:49 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2007-05-26 22:55:48 9,565 ----a-w C:\WINDOWS\mozver.dat
2007-05-26 22:55:45 -------- d-----w C:\Programme\DivX
2007-05-26 11:38:23 -------- d-----w C:\Programme\CQPhone
2007-05-26 09:06:48 233,422 ----a-w C:\WINDOWS\CQPhone Uninstaller.exe
2007-05-23 18:57:33 -------- d-----w C:\Programme\FlashGet
2007-05-23 17:45:22 -------- d-----w C:\Programme\MSN Messenger
2006-03-26 20:53:50 457 ----a-w C:\Programme\INSTALL.LOG
2005-05-13 16:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 20:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-12-19 16:53:39 56 --sh--r C:\WINDOWS\system32\347AF0B6CE.sys
2005-10-07 18:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 11:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 14:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 09:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 12:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
2006-06-20 08:10 61440 --a------ C:\SnagIt 8\SnagItBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a------ C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Programme\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]
2002-01-16 19:12 65536 --a------ C:\PROGRA~1\FlashGet\jccatch.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 21:05]
"RemoteControl"="C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"nod32kui"="C:\Programme\Eset\nod32kui.exe" [2006-03-26 22:06]
"DAEMON Tools-1033"="C:\Programme\D-Tools\daemon.exe" [2004-08-22 17:05]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-03-05 22:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:57]

C:\DOKUME~1\ALLUSE~1\STARTM~1\PROGRA~1\AUTOST~1
Adobe Reader - Schnellstart.lnk - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Programme\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^DonKapone^Startmenu^Programme^Autostart^SmartSurfer.lnk]
path=C:\Dokumente und Einstellungen\DonKapone\Startmenu\Programme\Autostart\SmartSurfer.lnk
backup=C:\WINDOWS\pss\SmartSurfer.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A-ToolBar]
C:\Programme\A-ToolBar\AToolBar.exe s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antikeymagic v.3.79 Public Beta 0.59]
F:\Downloads\Antikeymagic_v3_79_Beta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKey]
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Programme\IGN\Download Manager\dlm.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Programme\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programme\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToADiMon.exe]
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Programme\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Veoh Client Service"=2 (0x2)
"usnjsvc"=3 (0x3)


Contents of the 'Scheduled Tasks' folder
2007-07-15 07:27:18 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 01:18:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"3D-Wei\x42f"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
"H\x434nde 1"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"H\x434nde 2"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"Vergr\x446\x042fert"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"Windows Schwarz (gro\x42f)"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"Windows Schwarz (extragro\x42f)"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
"Windows Invertiert (gro\x42f)"="C:\WINDOWS\cursors\arrow_im.cur,C:\WINDOWS\cursors\help_im.cur,C:\WINDOWS\cursors\wait_im.cur,C:\WINDOWS\cursors\busy_im.cur,C:\WINDOWS\cursors\cross_im.cur,C:\WINDOWS\cursors\beam_im.cur,C:\WINDOWS\cursors\pen_im.cur,C:\WINDOWS\cursors\no_im.cur,C:\WINDOWS\cursors\size4_im.cur,C:\WINDOWS\cursors\size3_im.cur,C:\WINDOWS\cursors\size2_im.cur,C:\WINDOWS\cursors\size1_im.cur,C:\WINDOWS\cursors\move_im.cur,C:\WINDOWS\cursors\up_im.cur"
"Windows Invertiert (extragro\x42f)"="C:\WINDOWS\cursors\arrow_il.cur,C:\WINDOWS\cursors\help_il.cur,C:\WINDOWS\cursors\wait_il.cur,C:\WINDOWS\cursors\busy_il.cur,C:\WINDOWS\cursors\cross_il.cur,C:\WINDOWS\cursors\beam_il.cur,C:\WINDOWS\cursors\pen_il.cur,C:\WINDOWS\cursors\no_il.cur,C:\WINDOWS\cursors\size4_il.cur,C:\WINDOWS\cursors\size3_il.cur,C:\WINDOWS\cursors\size2_il.cur,C:\WINDOWS\cursors\size1_il.cur,C:\WINDOWS\cursors\move_il.cur,C:\WINDOWS\cursors\up_il.cur"
"Windows-Standard (gro\x42f)"="C:\WINDOWS\cursors\arrow_m.cur,C:\WINDOWS\cursors\help_m.cur,C:\WINDOWS\cursors\wait_m.cur,C:\WINDOWS\cursors\busy_m.cur,C:\WINDOWS\cursors\cross_m.cur,C:\WINDOWS\cursors\beam_m.cur,C:\WINDOWS\cursors\pen_m.cur,C:\WINDOWS\cursors\no_m.cur,C:\WINDOWS\cursors\size4_m.cur,C:\WINDOWS\cursors\size3_m.cur,C:\WINDOWS\cursors\size2_m.cur,C:\WINDOWS\cursors\size1_m.cur,C:\WINDOWS\cursors\move_m.cur,C:\WINDOWS\cursors\up_m.cur"
"Windows-Standard (extragro\x42f)"="C:\WINDOWS\cursors\arrow_l.cur,C:\WINDOWS\cursors\help_l.cur,C:\WINDOWS\cursors\wait_l.cur,C:\WINDOWS\cursors\busy_l.cur,C:\WINDOWS\cursors\cross_l.cur,C:\WINDOWS\cursors\beam_l.cur,C:\WINDOWS\cursors\pen_l.cur,C:\WINDOWS\cursors\no_l.cur,C:\WINDOWS\cursors\size4_l.cur,C:\WINDOWS\cursors\size3_l.cur,C:\WINDOWS\cursors\size2_l.cur,C:\WINDOWS\cursors\size1_l.cur,C:\WINDOWS\cursors\move_l.cur,C:\WINDOWS\cursors\up_l.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Dokumente und Einstellungen\All Users\Startmen\x44c\Programme\HHD Hex Editor\"=""
"C:\Dokumente und Einstellungen\All Users\Startmen\x44c\Programme\ACD Systems\"=""
"C:\Dokumente und Einstellungen\All Users\Startmen\x44c\Programme\SnagIt 8\"=""
"C:\Dokumente und Einstellungen\All Users\Startmen\x44c\Programme\Apple Software Update\"="1"
"C:\Dokumente und Einstellungen\All Users\Startmen\x44c\Programme\QuickTime\"="1"
"C:\Dokumente und Einstellungen\All Users\Startmen\x44c\Programme\Ventrilo\"=""
"C:\Dokumente und Einstellungen\DonKapone\Startmen\x44c\Programme\SigZag\"=""
"C:\Dokumente und Einstellungen\All Users\Startmen\x44c\Programme\Game Cam v1.4\"=""
"C:\Dokumente und Einstellungen\All Users\Startmen\x44c\Programme\SUPERAntiSpyware\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Roman (Alle Aufl\x446sungen)"="ROMAN.FON"
"Script (Alle Aufl\x446sungen)"="SCRIPT.FON"
"Modern (Alle Aufl\x446sungen)"="MODERN.FON"
"Small Fonts (VGA-Aufl\x446sung)"="SMALLER.FON"
"Symbol 8,10,12,14,18,24 (VGA-Aufl\x446sung)"="SYMBOLE.FON"
"WST_Czec (Alle Aufl\x446sungen)"="wst_czec.FON"
"WST_Engl (Alle Aufl\x446sungen)"="wst_engl.FON"
"WST_Fren (Alle Aufl\x446sungen)"="wst_fren.FON"
"WST_Germ (Alle Aufl\x446sungen)"="wst_germ.FON"
"WST_Ital (Alle Aufl\x446sungen)"="wst_ital.FON"
"WST_Span (Alle Aufl\x446sungen)"="wst_span.FON"
"WST_Swed (Alle Aufl\x446sungen)"="wst_swed.FON"
"Courier 10,12,15 (VGA-Aufl\x446sung)"="COURER.FON"
"MS Sans Serif 8,10,12,14,18,24 (VGA-Aufl\x446sung)"="SSERIFER.FON"
"MS Serif 8,10,12,14,18,24 (VGA-Aufl\x446sung)"="SERIFER.FON"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Creative Sound Blaster-PCI\Lautst\x434rkeregel]
"LineStates"=hex:00,00,00,00,4c,00,61,00,75,00,74,00,73,00,74,00,e4,00,72,00,6b,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Akella Games\\x41a\x440\x435\x449\x435\x43d\x43d\x44b\x439 \x43a\x440\x43e\x432\x44c\x44e]
"Order"=hex:08,00,00,00,02,00,00,00,7c,03,00,00,01,00,00,00,07,00,00,00,68,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Akella Games\\x41a\x440\x435\x449\x435\x43d\x43d\x44b\x439 \x43a\x440\x43e\x432\x44c\x44e\\x421\x441\x44b\x43b\x43a\x438]
"Order"=hex:08,00,00,00,02,00,00,00,18,01,00,00,01,00,00,00,02,00,00,00,86,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Lionhead Studios Ltd\EA Technische Unterst\x44ctzung]
"Order"=hex:08,00,00,00,02,00,00,00,02,02,00,00,01,00,00,00,03,00,00,00,6e,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\Handb\x044ccher]
"Order"=hex:08,00,00,00,02,00,00,00,10,08,00,00,01,00,00,00,0c,00,00,00,a6,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nival Interactive\\x414\x435\x43c\x438\x443\x440\x433\x438]
"Order"=hex:08,00,00,00,02,00,00,00,ce,02,00,00,01,00,00,00,05,00,00,00,8c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Spiele\Postal 2\\x421\x441\x44b\x43b\x43a\x438]
"Order"=hex:08,00,00,00,02,00,00,00,1e,01,00,00,01,00,00,00,02,00,00,00,74,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Zubeh\x446r]
"Order"=hex:08,00,00,00,02,00,00,00,8a,0a,00,00,01,00,00,00,10,00,00,00,f4,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Zubeh\x446r\Eingabehilfen]
"Order"=hex:08,00,00,00,02,00,00,00,9c,02,00,00,01,00,00,00,04,00,00,00,9a,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Zubeh\x446r\Kommunikation]
"Order"=hex:08,00,00,00,02,00,00,00,60,04,00,00,01,00,00,00,06,00,00,00,a8,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Zubeh\x446r\Systemprogramme]
"Order"=hex:08,00,00,00,02,00,00,00,96,06,00,00,01,00,00,00,0a,00,00,00,96,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Zubeh\x446r\Unterhaltungsmedien]
"Order"=hex:08,00,00,00,02,00,00,00,32,01,00,00,01,00,00,00,02,00,00,00,98,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Programme\Windows NT\Zubeh\x446r\WORDPAD.EXE"="WordPad-MFC-Anwendung"
"@"C:\Programme\Windows NT\Zubeh\x446r\WORDPAD.EXE",-209"="WordPad-Dokument"
"@"C:\Programme\Windows NT\Zubeh\x446r\WORDPAD.EXE",-190"="RTF-Dokument"
"@"C:\Programme\Windows NT\Zubeh\x446r\WORDPAD.EXE",-208"="Write-Dokument"
"C:\Dokumente und Einstellungen\DonKapone\Desktop\Verkn\x44cpfung mit .pif"="Verkn\xfcpfung mit "
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Dokumente und Einstellungen\DonKapone\Desktop\Verkn\x44cpfung mit .pif"="WIN95"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\Benutzer-Manager f\x44cr Dom\x434nen]
"SaveSettings"="1"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-19 1:20:59 - machine was rebooted
C:\quarantined-files.txt ... 2007-07-19 01:20
C:\2.txt ... 2006-10-04 01:35

--- E O F ---


Guess which programme is it? Yeah, right.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:24 PM

Posted 31 July 2007 - 11:43 AM

Topic closed. User used ComboFix on their own.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users