Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Smitfraud


  • This topic is locked This topic is locked
9 replies to this topic

#1 Dena

Dena

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 23 July 2007 - 09:36 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:01 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

--
End of file - 6369 bytes

BC AdBot (Login to Remove)

 


#2 Dena

Dena
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 23 July 2007 - 10:08 PM

"dellnb9" - 2007-07-23 21:49:42 [GMT -5:00] - ComboFix 07-07-24 - Service Pack 2 NTFS


Unable to gain System Privileges

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\eeqcvngy.dll
C:\WINDOWS\system32\glwfjfhk.dll
C:\WINDOWS\system32\hgghihg.dll
C:\WINDOWS\system32\rgklolbc.dll
C:\WINDOWS\system32\yayyxxx.dll
C:\WINDOWS\system32\jjfwgnsl.dll
C:\WINDOWS\system32\llfoovpa.dll
C:\WINDOWS\system32\hgghihg.dll
C:\WINDOWS\system32\yayyxxx.dll
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\ygnvcqee.ini
C:\WINDOWS\system32\khfjfwlg.ini
C:\WINDOWS\system32\cblolkgr.ini
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\qomkjgg.dll
C:\WINDOWS\system32\qomkjgg.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\dellnb9\MYDOCU~1.\fnts~1
C:\DOCUME~1\dellnb9\MYDOCU~1.\fnts~1\alg.exe
C:\Program Files\asks~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\temp\iee
C:\temp\tn3
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\wapiitr32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\core


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-23 21:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 16:18 126,016 --a------ C:\WINDOWS\system32\gmgugiuf.dll
2007-07-23 16:18 0 --a------ C:\WINDOWS\system32\gcbawtfu.exe
2007-07-22 13:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-22 12:54 24 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2007-07-22 12:48 71,680 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-07-22 12:48 261 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-07-22 12:47 49,968 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-07-22 12:47 36,016 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-07-22 12:47 29,360 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-07-22 12:47 227,960 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-07-22 12:47 190,640 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-07-22 12:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Backup
2007-07-22 12:34 58,800 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-07-22 12:34 15,792 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-07-22 12:34 121,392 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-07-22 12:33 63,024 --a------ C:\WINDOWS\system32\pavipc.dll
2007-07-22 12:33 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-07-22 12:33 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2007-07-22 12:33 292,400 --a------ C:\WINDOWS\system32\PavSHook.dll
2007-07-22 12:33 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-22 12:33 17,792 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2007-07-22 12:33 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll
2007-07-22 12:33 142,128 --a------ C:\WINDOWS\system32\drivers\netimflt.sys
2007-07-22 12:33 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2007-07-22 12:33 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-07-22 12:33 <DIR> d-------- C:\Program Files\Panda Software
2007-07-22 12:31 31,104 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-07-22 12:31 170,800 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-07-22 12:31 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-07-22 11:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-20 15:38 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-19 19:53 <DIR> d--hs---- C:\WINDOWS\ZGVsbG5iOQ
2007-07-19 19:37 <DIR> d-------- C:\Temp\brr
2007-07-10 17:37 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2007-07-10 17:37 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2007-07-10 17:37 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2007-07-10 17:37 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-07-10 17:37 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2007-07-10 17:34 483,328 -ra------ C:\WINDOWS\system32\hphmon05.exe
2007-07-10 17:33 4,284 --------- C:\WINDOWS\hphmdl01.dat
2007-07-10 17:33 18,269 --a------ C:\WINDOWS\HPHins01.dat
2007-07-10 17:21 6,371 -ra------ C:\WINDOWS\system32\hphmon05.dat
2007-07-02 10:36 <DIR> d-------- C:\Temp
2007-06-25 22:29 <DIR> d-------- C:\WINDOWS\SxsCaPendDel


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 02:59:59 227,960 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-07-24 02:59:59 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-07-24 02:59:59 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-07-22 17:33:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-19 01:07:08 -------- d-----w C:\DOCUME~1\dellnb9\APPLIC~1\Image Zone Express
2007-07-10 22:46:21 -------- d-----w C:\Program Files\HP
2007-07-03 03:31:42 -------- d-----w C:\Program Files\Microsoft.NET
2007-07-03 01:58:06 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-16 16:40:19 -------- d-----w C:\DOCUME~1\dellnb9\APPLIC~1\Yahoo!
2007-06-04 15:02:18 528 ----a-w C:\WINDOWS\eReg.dat
2007-06-04 15:02:05 -------- d-----w C:\Program Files\Maxis
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 01:24:04 109,946 ----a-w C:\WINDOWS\hpoins08.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6238118E-F048-8BED-1C61-828DCC2CD398}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6238118F-F04F-FC9C-1C64-8E8DBE57D391}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;\??\C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 NWCWorkstation;Client Service for NetWare;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R2 s24trans;WLAN Transport;C:\WINDOWS\system32\DRIVERS\s24trans.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP;C:\WINDOWS\system32\DRIVERS\iwca.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 NWRDR;NetWare Rdr;C:\WINDOWS\system32\DRIVERS\nwrdr.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{476319b8-9f1e-11da-97e2-0013cef46c91}]
AutoRun\command- E:\JDSecure\Windows\JDSecure31.exe


Contents of the 'Scheduled Tasks' folder
2007-07-24 02:37:01 C:\WINDOWS\tasks\HP Usg Daily.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 21:59:27
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ShldDrv]
"ImagePath"="\??\C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys"
"ImagePath"="C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys"

Completion time: 2007-07-23 22:00:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-23 22:00

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:19 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\ApvxdWin.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6238118E-F048-8BED-1C61-828DCC2CD398} - (no file)
O2 - BHO: (no name) - {6238118F-F04F-FC9C-1C64-8E8DBE57D391} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

--
End of file - 7008 bytes

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 PM

Posted 24 July 2007 - 03:18 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 PM

Posted 24 July 2007 - 03:20 AM

Never mind, I see you already performed above step and posted this in a new thread.

Please do not start multiple threads with your logs. I am going to merge the other thread you started into this one...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 PM

Posted 24 July 2007 - 03:26 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\gmgugiuf.dll
C:\WINDOWS\system32\gcbawtfu.exe

Folder::
C:\WINDOWS\ZGVsbG5iOQ
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6238118E-F048-8BED-1C61-828DCC2CD398}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6238118F-F04F-FC9C-1C64-8E8DBE57D391}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Dena

Dena
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 24 July 2007 - 05:11 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:43 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\ApvxdWin.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\WebProxy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavBckPT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

--
End of file - 6848 bytes



"dellnb9" - 2007-07-24 17:05:25 [GMT -5:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\dellnb9\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp
C:\WINDOWS\system32\gcbawtfu.exe
C:\WINDOWS\system32\gmgugiuf.dll
C:\WINDOWS\ZGVsbG5iOQ


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-23 21:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 13:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-22 12:54 24 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2007-07-22 12:48 71,680 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-07-22 12:48 261 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-07-22 12:47 49,968 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-07-22 12:47 36,016 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-07-22 12:47 29,360 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-07-22 12:47 230,724 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-07-22 12:47 190,640 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-07-22 12:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Backup
2007-07-22 12:34 58,800 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-07-22 12:34 15,792 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-07-22 12:34 121,392 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-07-22 12:33 63,024 --a------ C:\WINDOWS\system32\pavipc.dll
2007-07-22 12:33 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-07-22 12:33 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2007-07-22 12:33 292,400 --a------ C:\WINDOWS\system32\PavSHook.dll
2007-07-22 12:33 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-22 12:33 17,792 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2007-07-22 12:33 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll
2007-07-22 12:33 142,128 --a------ C:\WINDOWS\system32\drivers\netimflt.sys
2007-07-22 12:33 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2007-07-22 12:33 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-07-22 12:33 <DIR> d-------- C:\Program Files\Panda Software
2007-07-22 12:31 31,104 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-07-22 12:31 170,800 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-07-22 12:31 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-07-22 11:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-20 15:38 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-10 17:37 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2007-07-10 17:37 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2007-07-10 17:37 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2007-07-10 17:37 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-07-10 17:37 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2007-07-10 17:34 483,328 -ra------ C:\WINDOWS\system32\hphmon05.exe
2007-07-10 17:33 4,284 --------- C:\WINDOWS\hphmdl01.dat
2007-07-10 17:33 18,269 --a------ C:\WINDOWS\HPHins01.dat
2007-07-10 17:21 6,371 -ra------ C:\WINDOWS\system32\hphmon05.dat
2007-06-25 22:29 <DIR> d-------- C:\WINDOWS\SxsCaPendDel


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 20:45:14 230,724 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-07-24 02:59:59 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-07-24 02:59:59 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-07-22 17:33:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-19 01:07:08 -------- d-----w C:\DOCUME~1\dellnb9\APPLIC~1\Image Zone Express
2007-07-10 22:46:21 -------- d-----w C:\Program Files\HP
2007-07-03 03:31:42 -------- d-----w C:\Program Files\Microsoft.NET
2007-07-03 01:58:06 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-16 16:40:19 -------- d-----w C:\DOCUME~1\dellnb9\APPLIC~1\Yahoo!
2007-06-04 15:02:18 528 ----a-w C:\WINDOWS\eReg.dat
2007-06-04 15:02:05 -------- d-----w C:\Program Files\Maxis
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 01:24:04 109,946 ----a-w C:\WINDOWS\hpoins08.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

R1 APPDRV;APPDRV;C:\WINDOWS\system32\DRIVERS\APPDRV.SYS
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;\??\C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 BASFND;BASFND;\??\C:\WINDOWS\system32\Drivers\BASFND.sys
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 NWCWorkstation;Client Service for NetWare;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R2 s24trans;WLAN Transport;C:\WINDOWS\system32\DRIVERS\s24trans.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP;C:\WINDOWS\system32\DRIVERS\iwca.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 NWRDR;NetWare Rdr;C:\WINDOWS\system32\DRIVERS\nwrdr.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{476319b8-9f1e-11da-97e2-0013cef46c91}]
AutoRun\command- E:\JDSecure\Windows\JDSecure31.exe

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-07-24 02:37:01 C:\WINDOWS\tasks\HP Usg Daily.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 17:07:08
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ShldDrv]
"ImagePath"="\??\C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys"
"ImagePath"="C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys"

Completion time: 2007-07-24 17:08:04
C:\ComboFix-quarantined-files.txt ... 2007-07-24 17:07
C:\ComboFix2.txt ... 2007-07-23 22:00

--- E O F ---

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 PM

Posted 25 July 2007 - 03:30 AM

Dena, I already told you in your other thread not to start a new thread, but reply in your existing thread here.
I've merged above post since you once again started a new thread with the logs.
Please, use the ADD Reply button below next time.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 PM

Posted 25 July 2007 - 03:33 AM

Delete the C:\Qoobox folder.

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now.

Please use the Posted Image button below to reply to this post. Do NOT start a new thread with your post.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 PM

Posted 28 July 2007 - 05:24 AM

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:50 PM

Posted 04 August 2007 - 04:29 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users