Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Bloodhound.packed.jmp


  • Please log in to reply
1 reply to this topic

#1 chiau ping

chiau ping

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 21 April 2008 - 08:57 PM

- Norton AV detected 'bloodhound.Packed.Jmp' on my machine (Windows Server 2003)
- Nortam AV prompt virus alert each time windows start up or when clicking on the drives
- Unable to view Hidden file
- Fail to run YahooMessenger.

Have scan my machine with DSS, here's the scan result:
main.txt as shown below
extra.txt is attached.

from main.txt....................
Deckard's System Scanner v20071014.68
Run by ChiauPing on 2008-04-22 09:42:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as ChiauPing.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:17 AM, on 4/22/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
D:\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
D:\IBM\SQLLIB\BIN\db2rcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellTPad\HidFind.exe
D:\IBM\SQLLIB\BIN\db2systray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Downloads\dss.exe
D:\DOWNLO~1\HIJACK~1\ChiauPing.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DB2COPY1 - db2systray.exe DB2] D:\IBM\SQLLIB\BIN\db2systray.exe DB2
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\PrevxCSI.exe" /bootupreg
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo2\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://bluebox.atquest.net/qp2.cab
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - http://dl.google.com/dl/desktop/nv/GoogleG...PluginIEWin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atquest.net
O17 - HKLM\Software\..\Telephony: DomainName = atquest.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atquest.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atquest.net
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: DB2 - DB2COPY1 - DB2 (DB2) - International Business Machines Corporation - D:\IBM\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2 Governor (DB2COPY1) (DB2GOVERNOR_DB2COPY1) - International Business Machines Corporation - D:\IBM\SQLLIB\BIN\db2govds.exe
O23 - Service: DB2 License Server (DB2COPY1) (DB2LICD_DB2COPY1) - International Business Machines Corporation - D:\IBM\SQLLIB\BIN\db2licd.exe
O23 - Service: DB2 Management Service (DB2COPY1) (DB2MGMTSVC_DB2COPY1) - International Business Machines Corporation - D:\IBM\SQLLIB\BIN\db2mgmtsvc.exe
O23 - Service: DB2 Remote Command Server (DB2COPY1) (DB2REMOTECMD_DB2COPY1) - International Business Machines Corporation - D:\IBM\SQLLIB\BIN\db2rcmd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM WebSphere Application Server V6.1 - CHIAUPING-2K3Node01 (IBMWAS61Service - CHIAUPING-2K3Node01) - Unknown owner - D:\IBM\WebSphere\AppServer3\bin\wasservice.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11399 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pxark - c:\windows\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.7.4.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Cisco Systems, Inc.; AEGIS Protocol 3.7.4.0>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S3 IBMWAS61Service - CHIAUPING-2K3Node01 (IBM WebSphere Application Server V6.1 - CHIAUPING-2K3Node01) - "d:\ibm\websphere\appserver3\bin\wasservice.exe" "ibmwas61service - chiauping-2k3node01"


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\3988E438324FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\3988E438324FC000
Service: NIC1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_1180&DEV_0822&SUBSYS_02271028&REV_22\4&28D6DE3B&0&09F0
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_1180&DEV_0822&SUBSYS_02271028&REV_22\4&28D6DE3B&0&09F0
Service:


-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-21 21:47:58 169 --a------ C:\Start_.cmd
2008-04-21 09:32:56 117409 -r-hs---- C:\h8i.com
2008-04-18 09:21:19 0 d-------- C:\Documents and Settings\chiauping\Application Data\Skype
2008-04-18 09:20:28 0 d-------- C:\Program Files\Skype
2008-04-18 09:20:28 0 d-------- C:\Program Files\Common Files\Skype
2008-04-18 09:20:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-04-17 23:16:52 0 d-------- C:\Documents and Settings\chew\Application Data\Identities
2008-04-17 23:16:43 0 d--h----- C:\Documents and Settings\chew\Templates
2008-04-17 23:16:43 0 dr------- C:\Documents and Settings\chew\Start Menu
2008-04-17 23:16:43 0 dr-h----- C:\Documents and Settings\chew\SendTo
2008-04-17 23:16:43 0 dr-h----- C:\Documents and Settings\chew\Recent
2008-04-17 23:16:43 0 d--h----- C:\Documents and Settings\chew\PrintHood
2008-04-17 23:16:43 786432 --ah----- C:\Documents and Settings\chew\NTUSER.DAT
2008-04-17 23:16:43 0 d--h----- C:\Documents and Settings\chew\NetHood
2008-04-17 23:16:43 0 dr------- C:\Documents and Settings\chew\My Documents
2008-04-17 23:16:43 0 d--h----- C:\Documents and Settings\chew\Local Settings
2008-04-17 23:16:43 0 dr------- C:\Documents and Settings\chew\Favorites
2008-04-17 23:16:43 0 d-------- C:\Documents and Settings\chew\Desktop
2008-04-17 23:16:43 0 d--hs---- C:\Documents and Settings\chew\Cookies
2008-04-17 23:16:43 0 dr-h----- C:\Documents and Settings\chew\Application Data
2008-04-17 23:16:43 0 d---s---- C:\Documents and Settings\chew\Application Data\Microsoft
2008-04-17 23:16:43 0 d-------- C:\Documents and Settings\chew\Application Data\Intel
2008-04-17 23:04:06 116606 -r-hs---- C:\x1dg.exe
2008-04-17 17:02:07 10880 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2008-04-17 17:02:06 0 d-------- C:\Program Files\PrevxCSI
2008-04-17 17:01:59 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-17 10:18:54 0 d-------- C:\Program Files\Yahoo!
2008-04-16 22:14:08 125952 -r-hs---- C:\WINDOWS\system32\kavo1.dll
2008-04-16 22:11:52 117944 -r-hs---- C:\bqk.bat
2008-04-16 22:11:25 125952 -r-hs---- C:\WINDOWS\system32\kavo0.dll
2008-04-16 22:11:25 117409 -r-hs---- C:\WINDOWS\system32\kavo.exe
2008-04-13 20:06:08 0 d-------- C:\WINDOWS\AVIFiles
2008-04-13 20:05:48 0 d-------- C:\WINDOWS\v6110
2008-04-13 20:05:48 0 d-------- C:\WINDOWS\v6100
2008-04-13 20:05:48 413696 --a------ C:\WINDOWS\system32\GeoCodec.dll <Not Verified; GeoVision; GeoCodec Dynamic Link Library>
2008-04-13 20:05:48 413760 --a------ C:\WINDOWS\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2008-04-13 20:05:48 413696 -ra------ C:\WINDOWS\GeoCodec.dll <Not Verified; GeoVision; GeoCodec Dynamic Link Library>
2008-04-10 22:56:29 0 d-------- C:\Documents and Settings\chiauping\Application Data\NetSarang
2008-04-10 21:42:25 0 d-------- C:\Program Files\Common Files\NetSarang
2008-04-10 21:42:25 0 d-------- C:\Documents and Settings\All Users\Application Data\NetSarang
2008-04-10 21:41:59 0 d-------- C:\WINDOWS\Downloaded Installations
2008-04-10 18:13:29 0 d-------- C:\Documents and Settings\chiauping\Application Data\FileZilla
2008-04-09 09:38:09 0 d-------- C:\spoolerlogs
2008-04-07 16:36:06 0 d-------- C:\Documents and Settings\chiauping\Application Data\TortoiseSVN
2008-04-07 10:05:19 0 d-------- C:\Documents and Settings\chiauping\Application Data\Subversion
2008-04-05 23:47:35 0 d-------- C:\Documents and Settings\chiauping\Application Data\Roxio
2008-04-03 10:36:42 0 d-------- C:\Documents and Settings\chiauping\IBM
2008-04-02 22:10:40 0 d-------- C:\Documents and Settings\chiauping\Application Data\Rational
2008-04-02 21:51:59 48640 --a------ C:\WINDOWS\system32\libfdnvin.dll
2008-03-29 17:43:51 0 d-------- C:\Documents and Settings\chiauping\Application Data\Media Player Classic
2008-03-29 07:10:47 0 d-------- C:\Documents and Settings\chiauping\Application Data\HP
2008-03-26 09:56:52 0 d-------- C:\Program Files\ibm
2008-03-25 11:48:45 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-25 11:44:15 0 d-------- C:\Documents and Settings\All Users\Application Data\IBM


-- Find3M Report ---------------------------------------------------------------

2008-04-21 11:50:35 0 d-------- C:\Program Files\Google
2008-04-18 09:20:28 0 d-------- C:\Program Files\Common Files
2008-04-17 09:55:12 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-16 10:19:26 6040 --a------ C:\Documents and Settings\chiauping\Application Data\PrimoPDFSet.xml
2008-04-16 10:18:20 0 d-------- C:\Program Files\activePDF
2008-04-10 21:42:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-10 21:41:58 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-26 12:15:29 0 d-------- C:\Documents and Settings\chiauping\Application Data\IBM
2008-03-19 23:13:16 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-19 11:57:48 310 --a------ C:\Documents and Settings\chiauping\Application Data\APUSet.xml
2008-03-16 21:38:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-16 21:38:44 0 d-------- C:\Documents and Settings\chiauping\Application Data\Mozilla
2008-03-15 14:26:23 0 d-------- C:\Documents and Settings\chiauping\Application Data\Google
2008-03-15 12:23:55 0 d-------- C:\Documents and Settings\chiauping\Application Data\IDMComp
2008-03-15 12:10:23 0 d-------- C:\Documents and Settings\chiauping\Application Data\Real
2008-03-15 12:08:53 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-15 12:08:51 0 d-------- C:\Program Files\Common Files\Real
2008-03-15 00:03:40 220586 --a------ C:\WINDOWS\uninstall Mʧ@.exe
2008-03-15 00:03:39 1395883 --a------ C:\WINDOWS\Mʧ@.scr
2008-03-14 23:25:56 0 d-------- C:\Documents and Settings\chiauping\Application Data\NJStar
2008-03-12 21:57:01 0 d-------- C:\Documents and Settings\chiauping\Application Data\Autodesk
2008-03-12 21:54:08 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-12 21:53:22 0 d-------- C:\Program Files\Autodesk
2008-03-12 21:53:18 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-12 21:52:48 0 d-------- C:\Program Files\AnswerWorks 4.0
2008-03-12 21:24:02 0 d-------- C:\Documents and Settings\chiauping\Application Data\Help
2008-03-12 12:16:22 0 d-------- C:\Documents and Settings\chiauping\Application Data\Sun
2008-03-11 09:07:36 0 d-------- C:\Program Files\MSXML 6.0
2008-03-10 21:22:12 0 d-------- C:\Documents and Settings\chiauping\Application Data\Macromedia
2008-03-10 21:21:37 0 d-------- C:\Documents and Settings\chiauping\Application Data\Adobe
2008-03-10 20:45:57 0 d-------- C:\Program Files\MSN Messenger
2008-03-10 16:19:23 0 d--h----- C:\Program Files\Zero G Registry
2008-03-10 16:11:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-10 09:46:10 0 d-------- C:\Documents and Settings\chiauping\Application Data\Identities
2008-03-04 14:39:20 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2008-03-04 14:39:13 57344 --a------ C:\WINDOWS\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2008-03-04 14:38:46 0 d-------- C:\Program Files\Roxio
2008-02-28 14:42:39 0 d-------- C:\Program Files\Alcohol Soft
2008-02-28 11:42:00 0 d-------- C:\Program Files\Microsoft Virtual PC
2008-02-22 16:13:52 9488 --a------ C:\WINDOWS\system32\setupdd.dll <Not Verified; Microsoft Corporation; Microsoft NetMeeting™>
2008-02-22 16:12:29 10240 --a------ C:\WINDOWS\system32\AcSignExtRes.dll <Not Verified; Autodesk; AcSignExtRes Module>
2008-02-18 18:47:58 62 --ahs---- C:\Documents and Settings\chiauping\Application Data\desktop.ini
2008-02-18 15:49:00 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-18 12:00:52 21393 --a------ C:\WINDOWS\AegisP.sys <Not Verified; Cisco Systems, Inc.; AEGIS Protocol 3.7.4.0>
2008-02-18 11:34:38 76 -rahs---- C:\WINDOWS\CT4CET.bin
2008-02-18 11:02:17 0 -rahs---- C:\MSDOS.SYS
2008-02-18 11:02:17 0 -rahs---- C:\IO.SYS
2008-02-18 11:02:17 0 --a------ C:\CONFIG.SYS
2008-02-18 11:02:17 0 --a------ C:\AUTOEXEC.BAT
2008-02-18 10:59:13 21160 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [07/25/2007 04:32 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [07/25/2007 04:30 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/30/2007 01:24 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/30/2007 01:24 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [08/30/2007 01:24 PM]
"OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [05/10/2007 01:01 AM]
"SigmatelSysTrayApp"="stsystra.exe" [05/06/2007 05:10 PM C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [07/02/2007 01:29 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 01:03 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [09/11/2006 04:56 AM]
"DB2COPY1 - db2systray.exe"="" []
"PrevxCSI"="C:\Program Files\PrevxCSI\PrevxCSI.exe" [04/17/2008 05:02 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [04/21/2008 11:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/17/2007 02:38 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/09/2008 10:19 AM]
"kava"="C:\WINDOWS\system32\kavo.exe" [04/21/2008 09:32 AM]
"Yahoo! Pager"="D:\Program Files\Yahoo2\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [5/17/2007 3:43:18 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 02/17/2007 02:50 AM 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-827517521-2809951733-4167982066-1642\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d0502f3-ee4b-11dc-b245-001ec9001ab4}]
Auto\command- D0.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D0.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a85a1fc3-e4dd-11dc-a492-001ec9001ab4}]
AutoRun\command- D:\h8i.com
explore\Command- D:\h8i.com
open\Command- D:\h8i.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b333720b-efd1-11dc-8b93-001ec9001ab4}]
AutoRun\command- F:\uuhgt.bat
explore\Command- F:\uuhgt.bat
open\Command- F:\uuhgt.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffd63e93-0b52-11dd-8f39-001ec9001ab4}]
AutoRun\command- F:\bqk.bat
explore\Command- F:\bqk.bat
open\Command- F:\bqk.bat


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser



-- Hosts -----------------------------------------------------------------------

10.30.2.12 bluebox


-- End of Deckard's System Scanner: finished at 2008-04-22 09:46:19 ------------

Thanks :thumbsup:

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:33 PM

Posted 07 May 2008 - 08:06 PM

Hello chiau ping

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please go to Start > Run> then copy\paste this in "%userprofile%\desktop\dss.exe" /config then hit ok.
Place a check next to everything and click on ok or scan.
Post those logs please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users