Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Tr/psw.maha.a.10


  • Please log in to reply
1 reply to this topic

#1 rake

rake

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 19 December 2007 - 02:48 PM

Hello,
I am having trouble with some suspected malware. Everytime I boot up my computer, my antivirus (Anvira AntiVir Free Ed) alerts me that C:\WINDOWS\sqlserver.dll is infected with trojan horse TR/PSW.Maha.A.10, no matter what i do with iit. I've run my antivirus, adaware, and spybot s&d all in safe mode. I've also run hijackthis and combofix, these logs are included below. Please tell me how to resolve this problem, thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:01 AM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Alanon\LOCALS~1\Temp\Rar$EX00.359\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webproxy.ucsd.edu/proxy.pl
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [b5700x drive] C:\WINDOWS\cnssr.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Policies\Explorer\Run: [{28CD6F14-0957-1033-1008-020402200001}] "C:\Program Files\Common Files\{28CD6F14-0957-1033-1008-020402200001}\Update.exe" te-110-12-0000318
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7469 bytes

ComboFix 07-12-19.7 - Alanon 2007-12-19 11:12:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.299 [GMT -8:00]
* Created a new restore point
.
Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS - system32: deleted 54046 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\as.txt
C:\Documents and Settings\LocalService\Application Data\install.dat
C:\Documents and Settings\NetworkService\Application Data\Install.dat
C:\Documents and Settings\Raymond Kho\Application Data\Install.dat
C:\Program Files\Common Files\{28CD6~1
C:\Program Files\Common Files\{28CD6~1\Update.exe.lzma
C:\Program Files\Common Files\{38CD6~1
C:\Program Files\Common Files\{38CD6~1\Bar888.dll
C:\Program Files\deskalerts
C:\Program Files\deskalerts\basis.xml
C:\Program Files\deskalerts\cancel_button.gif
C:\Program Files\deskalerts\deskbar.crc
C:\Program Files\deskalerts\deskbar.dll
C:\Program Files\deskalerts\deskbar.inf
C:\Program Files\deskalerts\history.html
C:\Program Files\deskalerts\hs_delete.bmp
C:\Program Files\deskalerts\hs_search.bmp
C:\Program Files\deskalerts\icons.bmp
C:\Program Files\deskalerts\mbclose.bmp
C:\Program Files\deskalerts\mblogo.bmp
C:\Program Files\deskalerts\notify.wav
C:\Program Files\deskalerts\options.html
C:\Program Files\deskalerts\save_button.gif
C:\Program Files\deskalerts\title_back.gif
C:\Program Files\deskalerts\version.txt
C:\Temp\fCOe
C:\temp\tn3
C:\WINDOWS\Downloaded Program Files\Companion
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\system32\4_exception.nls
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\mbwrfiwu.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\uwifrwbm.dll
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CORE
-------\LEGACY_EXAMPLE
-------\LEGACY_NDNET1
-------\LEGACY_NEW_DRV
-------\LEGACY_RUNTIME
-------\Client IP-IPX
-------\EXAMPLE
-------\NDnet1
-------\new_drv
-------\RpcApi
-------\Runtime


((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-19 11:35 . 2007-12-19 11:35 47,616 --a------ C:\WINDOWS\sqlserver.dll
2007-12-18 22:18 . 2007-11-02 00:51 769 --a------ C:\WINDOWS\21
2007-12-18 20:19 . 2007-12-18 20:19 <DIR> d-------- C:\Documents and Settings\Alanon\Application Data\dvdcss
2007-12-17 01:37 . 2007-12-17 01:46 <DIR> d-------- C:\Garmin
2007-12-17 01:37 . 2007-03-08 17:18 18,432 --a------ C:\WINDOWS\system32\drivers\grmngen.sys
2007-12-17 01:37 . 2006-07-14 14:10 17,536 --a------ C:\WINDOWS\system32\drivers\grmn0200.sys
2007-12-17 01:37 . 2006-07-14 14:12 16,512 --a------ C:\WINDOWS\system32\drivers\grmn0400.sys
2007-12-17 01:37 . 2006-07-11 11:50 11,776 --a------ C:\WINDOWS\system32\drivers\grmn1200.sys
2007-12-17 01:37 . 2007-03-08 17:18 8,320 --a------ C:\WINDOWS\system32\drivers\grmnusb.sys
2007-12-14 14:26 . 2007-12-14 14:26 <DIR> d-------- C:\Program Files\Common Files\Viewpoint
2007-12-14 13:02 . 2007-12-19 11:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-14 13:02 . 2007-12-14 13:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-13 15:09 . 2007-12-13 15:10 <DIR> d-------- C:\Program Files\QuickTime
2007-12-11 14:34 . 2007-12-11 14:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 14:34 . 2007-12-11 14:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-29 21:09 . 2007-11-29 21:09 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2007-11-29 21:09 . 2007-11-29 21:09 4,096 --ahs---- C:\Thumbs.db
2007-11-27 22:11 . 2007-11-27 22:11 <DIR> d-------- C:\Program Files\BuddyList Ops
2007-11-25 19:39 . 2007-11-25 19:39 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 19:34 4,922 ----a-w C:\WINDOWS\compaq.reg
2007-12-19 06:01 28,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-14 22:26 --------- d-----w C:\Program Files\Viewpoint
2007-12-14 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-14 06:50 --------- d-----w C:\Program Files\DivX
2007-11-29 01:30 --------- d-----w C:\Documents and Settings\Alanon\Application Data\U3
2007-11-10 09:57 --------- d-----w C:\Program Files\Yahoo!
2007-11-10 09:52 --------- d-----w C:\Program Files\IE7
2007-11-10 09:01 359,040 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-11-10 09:01 359,040 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-11-10 01:51 --------- d-----w C:\Program Files\Java
2007-11-10 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-10 01:44 --------- d-----w C:\Documents and Settings\Alanon\Application Data\Comodo
2007-11-10 01:41 --------- d-----w C:\Program Files\Comodo
2007-11-05 03:45 --------- d-----w C:\Documents and Settings\Alanon\Application Data\InterVideo
2007-11-05 03:33 --------- d-----w C:\Program Files\MagicDisc
2007-11-05 03:20 --------- d-----w C:\Program Files\MagicISO
2007-11-05 00:40 --------- d-----w C:\Program Files\MozBackup
2007-11-02 23:51 --------- d-----w C:\Program Files\Avira
2007-11-02 23:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2007-10-31 23:38 3,491 ----a-w C:\is68197.exe
2007-10-31 07:39 --------- d-----w C:\Program Files\Alwil Software
2007-10-31 07:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-31 07:35 --------- d-----w C:\Documents and Settings\Mila Kho.YOUR-PA86Z1I3G7\Application Data\AVG7
2007-10-31 07:35 --------- d-----w C:\Documents and Settings\Alanon\Application Data\AVG7
2007-10-30 03:27 --------- d-----w C:\Program Files\BitComet
2007-10-29 23:32 688,128 ----a-w C:\WINDOWS\cnssr.exe
2007-10-29 23:32 688,128 ----a-w C:\setup_aim6.exe
2007-10-29 22:20 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-10-29 22:11 --------- d-----w C:\Program Files\Avanquest update
2007-10-29 22:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-10-29 22:06 92,064 ----a-w C:\Documents and Settings\Alanon\mqdmmdm.sys
2007-10-29 22:06 9,232 ----a-w C:\Documents and Settings\Alanon\mqdmmdfl.sys
2007-10-29 22:06 79,328 ----a-w C:\Documents and Settings\Alanon\mqdmserd.sys
2007-10-29 22:06 66,656 ----a-w C:\Documents and Settings\Alanon\mqdmbus.sys
2007-10-29 22:06 6,208 ----a-w C:\Documents and Settings\Alanon\mqdmcmnt.sys
2007-10-29 22:06 5,936 ----a-w C:\Documents and Settings\Alanon\mqdmwhnt.sys
2007-10-29 22:06 4,048 ----a-w C:\Documents and Settings\Alanon\mqdmcr.sys
2007-10-29 22:06 25,600 ----a-w C:\Documents and Settings\Alanon\usbsermptxp.sys
2007-10-29 22:06 22,768 ----a-w C:\Documents and Settings\Alanon\usbsermpt.sys
2007-10-29 03:51 --------- d-----w C:\Program Files\Audacity
2007-10-28 05:33 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2007-10-24 18:45 --------- d-----w C:\Program Files\AIM6
2007-10-24 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-22 20:13 --------- d-----w C:\Program Files\Real
2007-10-21 21:15 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-21 21:15 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-10-21 21:11 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2007-02-23 08:50 56,680 ----a-w C:\Documents and Settings\Raymond Kho\Application Data\GDIPFONTCACHEV1.DAT
2005-09-22 03:39 4,771 ----a-w C:\Program Files\Warez P2P ClientIPGUARD.LOG
2005-08-09 22:49 60 ----a-w C:\Documents and Settings\Raymond Kho\delete.bat
2005-08-08 07:38 486 ----a-w C:\Program Files\Shortcut to newdotnet.lnk
2005-04-30 03:03 184,808 ----a-w C:\Documents and Settings\Raymond Kho\Application Data\shb.dat
2003-11-10 20:59 231,936 ----a-w C:\Program Files\yum.exe
2007-04-05 01:40 1,242,565 --sh--w C:\WINDOWS\system32\xybeg.bak1
2005-07-21 13:54 401,408 --sh--r C:\WINDOWS\system32\??plorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 02:29]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 02:20]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 07:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 07:03]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-07-04 16:55]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 21:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-02 01:07]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]
"b5700x drive"="C:\WINDOWS\cnssr.exe" [2007-10-29 15:32]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-02 16:03]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-10 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-01 10:03:16]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-07 04:52:04]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Alanon^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Alanon\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2002-09-10 20:26 368706 --a------ C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
C:\Program Files\BraveSentry\BraveSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCM]
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe -Background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\edautomaout]
2005-03-14 16:34 77824 --a------ C:\Program Files\Paragon Software\Paragon Encrypted Disk 3.0\edmautomount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\edtray]
2005-03-14 16:34 118784 --a------ C:\Program Files\Paragon Software\Paragon Encrypted Disk 3.0\edtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 13:42 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malware Sweeper]
2006-06-12 16:53 618496 --a------ C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
2002-02-20 18:40 143360 --a------ C:\Program Files\COMPAQ\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-04-25 07:44 35328 --a------ C:\Program Files\Winamp\winampa.exe

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
R1 Uim_Ed;Uim Encrypted Disk Image Plugin;C:\WINDOWS\system32\Drivers\Uim_Ed.sys [2005-03-11 16:14]
R1 UimBus;Universal Image Mounter Controller;C:\WINDOWS\system32\DRIVERS\UimBus.sys [2005-03-11 16:13]
R1 UimCrAes;UIM Advanced Encryption Standard CryptoPlugin Driver;C:\WINDOWS\system32\Drivers\UimCrAes.sys [2005-03-11 16:13]
R1 UimCrStd;UIM Standard CryptoPlugin Driver;C:\WINDOWS\system32\Drivers\UimCrStd.sys [2005-03-11 16:13]
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe [2001-08-09 22:46]
S2 Sbv8;Sbv8;C:\WINDOWS\system32\Sbv8.sys []
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys [2007-02-02 15:57]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-04-02 21:13]
S3 msCMTSrvc;Content Monitoring Tool;C:\WINDOWS\system32\msCMTSrvc.exe []
S3 XDva025;XDva025;C:\WINDOWS\System32\XDva025.sys []
S3 XDva030;XDva030;C:\WINDOWS\System32\XDva030.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\autoplay.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\b5700x drive]
C:\WINDOWS\cnssr.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 23:03:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-08-02 08:01:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 11:35:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 11:37:13 - machine was rebooted

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:17 AM

Posted 03 January 2008 - 01:04 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users