Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix/hijackthis Log Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 r10101

r10101

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 22 April 2008 - 12:00 PM

Hi,

I got some nasties and did some manual removal, but saw an outbound connection attempt from explorer so I decided to run ComboFix after a google on the IP. Here are my logs after, I'm hoping for any advice. I'm not sure what Find3M results are, some of them (KGyGaAvL.sys?) look suspicious. And what are DPF's in HijackThis, can I delete them? Thanks!

ComboFix 08-04-20.5 - rahvin111000 2008-04-22 1:48:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.763 [GMT -7:00]
Running from: C:\Documents and Settings\rahvin111000\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\rahvin111000\Application Data\macromedia\Flash Player\#SharedObjects\5BVGUD2R\www.broadcaster.com
C:\Documents and Settings\rahvin111000\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\rahvin111000\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\rahvin111000\Local Settings\Temporary Internet Files\MF7296ED.gif
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\egmulhxk.dll
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\SYSTEM32\onqss.ini
C:\WINDOWS\SYSTEM32\onqss.ini2
C:\WINDOWS\system32\opnkheb.dll
C:\WINDOWS\system32\ssqno.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\winself.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MsSecurity1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-22 01:01 . 2008-04-22 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-22 00:00 . 2008-04-22 00:20 <DIR> d-------- C:\Program Files\Bat
2008-04-22 00:00 . 2008-04-22 00:00 138 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-21 23:59 . 2008-04-22 00:00 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-21 23:59 . 2008-04-22 00:00 4 -r-hs---- C:\WINDOWS\megavid.cdt
2008-04-21 23:28 . 2008-04-21 23:28 <DIR> d-------- C:\Program Files\PhotomatixPro3
2008-04-21 19:20 . 2008-04-21 19:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-21 19:20 . 2008-04-21 19:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 21:43 . 2008-04-13 21:43 <DIR> d-------- C:\Program Files\OutSync
2008-04-13 21:34 . 2008-04-13 21:34 <DIR> d-------- C:\Program Files\MSBuild
2008-04-13 21:22 . 2008-04-13 21:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-04-13 21:21 . 2008-04-13 21:21 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-13 21:20 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-04-13 18:24 . 2008-04-13 18:24 <DIR> d-------- C:\Program Files\Red Kawa
2008-04-07 23:00 . 2006-06-08 18:55 5,632 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motswch.sys
2008-04-07 20:00 . 2007-10-30 10:20 360,064 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys.ORIGINAL
2008-04-07 20:00 . 2007-10-30 10:20 360,064 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys.ORIGINAL
2008-04-03 18:04 . 2008-04-03 18:04 2,560 --a------ C:\WINDOWS\SYSTEM32\bitcometres.dll
2008-04-01 12:57 . 2008-04-01 12:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-04-01 08:49 . 2006-08-21 02:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-04-01 08:49 . 2006-08-21 02:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-04-01 08:49 . 2006-08-21 05:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-03-31 12:49 . 2007-07-09 06:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-03-31 12:44 . 2006-12-06 22:29 2,374,472 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\wmvcore.dll
2008-03-31 11:00 . 2008-03-31 11:01 <DIR> d-------- C:\Program Files\iTunes
2008-03-31 11:00 . 2008-03-31 11:00 <DIR> d-------- C:\Program Files\iPod
2008-03-31 10:56 . 2008-03-31 10:56 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-03-31 10:56 . 2008-03-31 10:56 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-31 10:56 . 2008-03-31 10:57 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-31 10:56 . 2008-03-31 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-31 10:56 . 2008-02-18 12:16 30,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbaapl.sys
2008-03-30 14:32 . 2008-03-30 14:32 0 --ah----- C:\Documents and Settings\rahvin111000\NTUSER.DAT_TU_98325.LOG
2008-03-30 14:32 . 2008-03-30 14:32 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_82789.LOG
2008-03-30 14:32 . 2008-03-30 14:32 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_11274.LOG
2008-03-30 14:21 . 2008-03-30 14:21 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-03-30 14:21 . 2008-03-30 14:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 14:21 . 2008-03-30 14:21 <DIR> d-------- C:\Documents and Settings\rahvin111000\Application Data\TuneUp Software
2008-03-30 14:21 . 2008-03-30 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-30 14:21 . 2008-03-30 14:21 307,968 --a------ C:\WINDOWS\SYSTEM32\TuneUpDefragService.exe
2008-03-30 14:21 . 2008-02-27 14:15 28,416 --a------ C:\WINDOWS\SYSTEM32\uxtuneup.dll
2008-03-30 12:50 . 2004-08-04 01:56 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2008-03-30 12:42 . 2004-07-17 12:40 19,528 --a------ C:\WINDOWS\002443_.tmp
2008-03-30 11:11 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-03-30 10:58 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-03-30 10:58 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-03-30 10:58 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-03-30 10:58 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-03-24 07:41 . 2008-03-24 07:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 08:41 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 2
2008-04-22 08:01 --------- d-----w C:\Program Files\Lavasoft
2008-04-22 07:16 --------- d-----w C:\Documents and Settings\rahvin111000\Application Data\Lavasoft
2008-04-22 07:07 --------- d-----w C:\Documents and Settings\rahvin111000\Application Data\AVG7
2008-04-22 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-21 07:03 --------- d-----w C:\Program Files\foobar2002
2008-04-20 21:10 --------- d-----w C:\Program Files\Trillian
2008-04-14 04:09 --------- d-----w C:\Program Files\FlashFXP
2008-04-08 06:01 24,192 ----a-w C:\Documents and Settings\rahvin111000\usbsermptxp.sys
2008-04-08 06:01 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2008-04-08 06:01 22,768 ----a-w C:\Documents and Settings\rahvin111000\usbsermpt.sys
2008-04-08 03:00 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-08 03:00 360,064 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-04-03 03:53 --------- d-----w C:\Documents and Settings\rahvin111000\Application Data\Apple Computer
2008-04-01 20:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 20:02 --------- d-----w C:\Program Files\ATI Technologies
2008-03-31 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-31 17:59 --------- d-----w C:\Program Files\QuickTime
2008-03-30 20:57 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd4973.sys
2008-03-13 09:54 --------- d-----w C:\Program Files\ExposurePlot
2008-03-02 20:08 --------- d-----w C:\Program Files\VideoLAN
2008-02-23 23:32 --------- d-----w C:\Documents and Settings\rahvin111000\Application Data\vlc
2006-08-10 00:30 539 ----a-w C:\Program Files\WinSCP.lnk
2006-08-08 15:12 515 ----a-w C:\Program Files\Putty SSH.lnk
2006-03-20 19:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
2005-07-23 21:16 1,158,656 ----a-w C:\Program Files\winscp375.exe
2005-07-23 21:00 163,840 ----a-w C:\Program Files\puttygen.exe
2005-07-23 20:08 421,888 ----a-w C:\Program Files\putty.exe
2004-06-29 05:22 952 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-05-25 12:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$hf_mig$\KB893066\SP2GDR\tcpip.sys
2005-05-25 12:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-04-20 04:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 05:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-04-07 20:00 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-04-07 20:00 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 13:32 155648]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-25 22:01 579072]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 12:31 29696 C:\WINDOWS\KHALMNPR.Exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26 606208]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2005-08-01 12:22:10 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebDriveService"=2 (0x2)
"SharedAccess"=2 (0x2)
"niSvcLoc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kerio\\Personal Firewall 4\\kpf4gui.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-04-15 09:02]
R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2006-11-17 19:10]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 11:01]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2004-06-09 01:44]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 22:22]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:56]
R2 WebDriveFSD;WebDrive Filesystem Driver;C:\Program Files\WebDrive\rffsd.sys [2005-06-04 12:07]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 22:23]
S3 ATIXPGAA;ATIXPGAA;C:\dell\drivers\R74793\ATIXPGAA.SYS []
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;C:\WINDOWS\system32\DRIVERS\TNET1130.SYS []
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys [2004-05-20 11:02]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS [2004-03-23 19:12]
S3 PCANDIS5_RETWIFI;PCANDIS5_RETWIFI Protocol Driver;C:\PROGRA~1\EEYEDI~1\RETINA~1\PCANDIS5_RETWIFI.SYS []
S3 PCANDIS5_WIFISCAN.SYS;PCANDIS5_WIFISCAN.SYS;C:\Program Files\eEye Digital Security\Retina Wireless Scanner\PCANDIS5_WIFISCAN.SYS []
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\RAHVIN~1\Desktop\AIRCRA~1.1\bin\PEEK5.SYS []
S3 PsSdk30;PsSdk30;C:\WINDOWS\System32\Drivers\PsSdk30.drv []
S3 rtl8180;Belkin 11Mbps Wireless Notebook Network Card Driver;C:\WINDOWS\system32\DRIVERS\Bel6020.sys [2003-12-30 13:20]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-30 14:21]
S3 USA19;USA19;C:\WINDOWS\system32\DRIVERS\usa192k.sys [2002-05-24 15:19]
S3 USA192KP;Keyspan USB PDA Adapter Port Driver;C:\WINDOWS\system32\DRIVERS\USA192kp.SYS [2002-05-24 15:18]
S4 tor;Tor Win32 Service;"C:\Program Files\Tor\tor.exe" --nt-service -f "C:\Documents and Settings\rahvin111000\Application Data\Vidalia\torrc" ControlPort 9051 []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{35DFFE62-9F48-4236-9249-9EAB5C7123C9}]
"C:\Program Files\Hummingbird\Connectivity\11.00\Accessories\HumSettings.exe" INSTALL=ALL
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 09:01:24 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2004-08-21 23:24:37 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2004-08-21 23:24:37 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 02:03:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\PGPServ.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-22 2:15:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 09:14:41

Pre-Run: 2,096,594,944 bytes free
Post-Run: 1,976,766,464 bytes free

326 --- E O F --- 2008-04-01 16:01:59

---------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:50 AM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PGPserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
C:\Documents and Settings\rahvin111000\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206899916232
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206899909813
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\System32\PGPserv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5230 bytes

BC AdBot (Login to Remove)

 


m

#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:05:52 AM

Posted 08 May 2008 - 05:23 PM

Hello r10101

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.
If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:05:52 AM

Posted 31 May 2008 - 09:50 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users