Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 murpheux

murpheux

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 30 April 2008 - 10:21 AM

Hi,

I am infected with an unknown virus. I have AVG antivirus and it will not detect nor clear this. A virus kept creating an autorun.inf and aspnet file on my hard disk. No matter how much u delete, it kept coming back and quick to infect other removable disk on the machine. I don't know how much damage it does and my mouse kept jumping around and erratic. Below is my combofix log. Pls analyse it for me

ComboFix 08-04-28.2 - Administrator 2008-04-30 14:04:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.987 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\My Documents\My Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\kzr5slz.dll
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32\ssprs.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASBroker
-------\Service_ASBroker


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-27 18:18 . 2008-04-27 18:18 4,966 --a------ C:\WINDOWS\wlrun7.dft
2008-04-27 18:18 . 2008-04-27 18:18 3,061 --a------ C:\WINDOWS\wlrun7.hst
2008-04-27 18:04 . 2008-04-27 18:04 35 --a------ C:\WINDOWS\OnlineSet.ini
2008-04-27 18:03 . 2008-04-28 11:37 3,491 --a------ C:\WINDOWS\wlrun7.ini
2008-04-27 18:03 . 2008-04-28 11:30 242 --a------ C:\WINDOWS\wlrun5.ini
2008-04-27 14:06 . 2008-04-27 14:54 24 --a------ C:\WINDOWS\lr_rec_proto.ini
2008-04-27 09:48 . 2008-04-27 09:48 <DIR> d-------- C:\Program Files\Red Gate
2008-04-25 18:42 . 2008-04-25 18:42 <DIR> d-------- C:\Program Files\Microsoft File Transfer Manager
2008-04-25 15:37 . 2008-04-26 00:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-04-25 15:36 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-04-25 15:36 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\dllcache\usbohci.sys
2008-04-25 15:35 . 2006-08-24 15:56 40,832 --a------ C:\WINDOWS\system32\drivers\apusbsnt.sys
2008-04-25 15:35 . 2005-03-15 11:11 17,920 --a------ C:\WINDOWS\system32\apintfnt.dll
2008-04-25 15:35 . 2006-08-24 15:57 11,776 --a------ C:\WINDOWS\system32\apusbdco.dll
2008-04-25 15:34 . 2008-04-25 15:35 <DIR> d-------- C:\Program Files\Sierra Wireless
2008-04-24 11:59 . 2008-04-24 11:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Subversion
2008-04-24 11:59 . 2008-04-24 11:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AnkhSVN
2008-04-24 11:23 . 2008-04-24 11:23 <DIR> d-------- C:\Program Files\AnkhSVN
2008-04-24 10:28 . 2008-04-24 10:33 <DIR> d-------- C:\Program Files\MoMA
2008-04-23 15:39 . 2008-04-23 15:43 <DIR> d-------- C:\Program Files\Mono-1.9.1
2008-04-23 13:42 . 2008-04-23 13:42 <DIR> d-------- C:\Program Files\StickyNotes
2008-04-22 15:21 . 2008-04-22 15:21 66 --a------ C:\WINDOWS\vugen_extra_keywords.ini
2008-04-22 15:18 . 2008-04-28 11:37 2,143 --a------ C:\WINDOWS\vugen.ini
2008-04-22 14:55 . 2008-04-22 14:55 <DIR> d-------- C:\temp\Visual Studio 2005 AddIn_2.0.0.0
2008-04-22 14:52 . 2007-04-29 16:51 159,744 --------- C:\WINDOWS\miuninst6.exe
2008-04-22 14:51 . 2008-04-22 14:51 <DIR> d-------- C:\temp\LoadRunner Citrix Agent_9.0.0.0
2008-04-22 14:51 . 2008-04-22 14:51 <DIR> d-------- C:\temp\COMPlus Monitor_9.0.0.0
2008-04-22 14:45 . 2008-04-30 09:26 634 --a------ C:\m_agent_attribs.cfg.bak
2008-04-22 14:38 . 2008-04-22 14:38 0 --a------ C:\WINDOWS\system32\run.bat
2008-04-22 14:37 . 2008-04-22 14:37 <DIR> d-------- C:\Program Files\Common Files\Mercury
2008-04-22 14:37 . 2008-04-30 14:16 634 --a------ C:\m_agent_attribs.cfg
2008-04-22 14:37 . 2008-04-22 14:54 77 --a------ C:\WINDOWS\wlrun.ini
2008-04-22 14:27 . 2008-04-22 14:27 <DIR> d-------- C:\Program Files\Mercury
2008-04-22 14:24 . 2008-04-22 14:24 <DIR> d-------- C:\Program Files\Microsoft WSE
2008-04-15 10:31 . 2008-04-15 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Architecture Journal Reader
2008-04-14 12:12 . 2008-04-14 12:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-04-14 11:45 . 2008-04-14 12:12 <DIR> d-------- C:\Program Files\WS_FTP Pro
2008-04-14 11:45 . 2008-04-14 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-04-14 11:45 . 2002-07-16 19:08 49,152 --a------ C:\WINDOWS\system32\FTPStubInstUtils.dll
2008-04-10 12:00 . 2008-04-10 12:00 <DIR> d-------- C:\Documents and Settings\Administrator\.BuildServer
2008-04-10 11:49 . 2008-04-10 12:00 <DIR> d-------- C:\Program Files\TeamCity
2008-04-08 15:31 . 2008-04-30 13:57 <DIR> d-------- C:\Program Files\eMule
2008-04-07 16:32 . 2008-04-07 16:32 <DIR> d-------- C:\Program Files\NDoc2-Alpha3u
2008-04-05 12:15 . 2008-04-05 12:15 <DIR> d--hs---- C:\found.000
2008-03-28 22:03 . 2008-04-29 21:48 49 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-28 18:29 . 2008-03-28 18:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-03-28 18:16 . 2008-03-28 18:16 <DIR> d-------- C:\Program Files\Nero
2008-03-28 18:16 . 2008-03-28 18:25 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-28 18:16 . 2008-03-28 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-26 19:11 . 2008-03-26 19:11 <DIR> d-------- C:\Program Files\eFax Messenger 4.3
2008-03-26 19:11 . 2008-03-26 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Setup
2008-03-26 19:11 . 2008-03-26 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output
2008-03-26 19:11 . 2008-03-26 19:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eFax Messenger
2008-03-26 19:11 . 2008-03-26 19:11 0 --a------ C:\WINDOWS\system32\eFax_4_3_Port
2008-03-22 19:36 . 2001-08-17 13:53 4,992 --a------ C:\WINDOWS\system32\drivers\loop.sys
2008-03-22 19:36 . 2001-08-17 13:53 4,992 --a------ C:\WINDOWS\system32\dllcache\loop.sys
2008-03-22 18:47 . 2008-03-22 18:47 <DIR> d-------- C:\Program Files\Microsoft Web Client Software Factory February 2008
2008-03-22 18:47 . 2008-03-22 18:48 1,318 --a------ C:\WINDOWS\system32\WebClientFactoryPackageRegistration128484642542433342.InstallLog
2008-03-22 18:45 . 2008-04-15 10:22 <DIR> d-------- C:\Program Files\Microsoft
2008-03-22 18:44 . 2008-03-22 18:44 <DIR> d-------- C:\Program Files\Microsoft Guidance Automation Extensions
2008-03-20 10:47 . 2008-03-20 10:47 <DIR> d-------- C:\temp\EDB3B1C1-ADC6-4263-AE1D-8D8401C88236
2008-03-18 14:37 . 2008-03-18 14:37 533 --a------ C:\OctopusCertificate.cer
2008-03-17 12:57 . 2008-03-17 12:57 <DIR> d-------- C:\Program Files\Common Files\InstallShield Shared
2008-03-17 12:57 . 2008-03-17 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-17 12:56 . 2008-03-17 12:56 <DIR> d-------- C:\PVDATA
2008-03-16 12:38 . 2008-03-16 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Memeo
2008-03-16 09:58 . 2008-03-16 09:58 <DIR> d-------- C:\Program Files\Microsoft BizTalk Services SDK
2008-03-16 06:21 . 2008-03-16 06:21 <DIR> d-------- C:\Program Files\WD
2008-03-16 06:21 . 2008-03-16 06:21 <DIR> d---s---- C:\Documents and Settings\All Users\Application Data\WD
2008-03-16 06:19 . 2008-04-06 13:09 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-03-16 06:19 . 2008-03-16 06:19 <DIR> d-------- C:\Program Files\DIFX
2008-03-16 06:19 . 2008-04-04 14:51 364,544 --a------ C:\WINDOWS\system32\WDBtnMgr.exe
2008-03-14 11:38 . 2008-03-14 11:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft FxCop
2008-03-12 04:38 . 2008-03-12 05:25 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-10 10:49 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-10 10:49 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-07 17:28 . 2008-03-07 17:28 0 --a------ C:\LOGDD.tmp
2008-03-07 17:23 . 2008-03-07 17:50 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-03-07 09:10 . 2008-03-07 09:10 0 --a--c--- C:\WINDOWS\flight4a.INI
2008-03-06 17:10 . 2008-03-07 11:14 <DIR> d-------- C:\Program Files\VirtualDJ
2008-03-06 10:11 . 2008-03-13 07:50 <DIR> d-------- C:\Presentations
2008-03-06 05:00 . 2008-04-30 14:16 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\VMware
2008-03-05 15:50 . 2008-03-28 08:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-03-05 14:36 . 2008-03-05 14:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-03-05 14:36 . 2008-04-30 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-03-05 14:36 . 2006-11-13 13:01 391,984 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-03-05 14:36 . 2006-11-13 13:01 142,128 --a------ C:\WINDOWS\system32\vmnat.exe
2008-03-05 14:36 . 2006-11-13 13:00 113,456 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-03-05 14:36 . 2006-11-13 13:01 22,576 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-03-05 14:34 . 2008-03-05 14:34 <DIR> d-------- C:\Program Files\VMware
2008-03-05 14:34 . 2008-03-05 14:34 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-03-05 13:15 . 2008-03-05 13:15 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-03-03 16:34 . 2008-03-03 16:54 1,656 --a--c--- C:\Documents and Settings\Administrator\Application Data\SvcTraceViewer.exe.settings
2008-03-03 16:30 . 2008-03-03 16:30 <DIR> d-------- C:\Program Files\LiveServiceTraceViewer
2008-03-03 14:29 . 2008-04-26 18:42 <DIR> d-------- C:\wcfTrace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 13:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DNA
2008-04-28 21:16 --------- d-----w C:\Program Files\Conduit
2008-04-28 21:16 --------- d-----w C:\Program Files\BTjunkie
2008-04-28 15:22 --------- d-----w C:\Program Files\PntxUn
2008-04-28 14:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-27 17:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-04-22 13:52 --------- d-----w C:\Program Files\Mercury Interactive
2008-04-22 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-14 13:58 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-04-11 12:42 --------- d-----w C:\Program Files\Microsoft ASP.NET
2008-04-11 11:49 12,424 ----a-w C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-11 07:59 --------- d-----w C:\Program Files\Microsoft Expression
2008-03-27 15:55 --------- d-----w C:\Program Files\Java
2008-03-24 07:46 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-22 17:43 --------- d-----w C:\Program Files\Microsoft Web Client Factory
2008-03-22 17:42 --------- d-----w C:\Program Files\Google
2008-03-17 09:48 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-03-17 09:48 --------- d-----w C:\Program Files\Microsoft SDKs
2008-03-17 06:54 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-13 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-03-07 16:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-03-05 11:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 15:29 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-29 12:24 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-02-29 12:24 --------- d-----w C:\Program Files\AVG
2008-02-02 07:07 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D660880A-81E7-40B1-AEDA-4E9F87DD50D2}]
2007-05-31 15:36 104064 --a------ C:\Program Files\Mercury\LoadRunner\bin\AtlasRecorderPlugin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-30 01:08 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-23 14:51 288576]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 11:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11 925696]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 22:06 716800]
"AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt.exe" [2006-01-17 06:01 53248]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 23:39 131072]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 16:03 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 23:51 1187840]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-10 00:38 806912]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 23:43 892928]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 08:16 528384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 08:13 29744]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [2007-01-09 15:52 145184]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 23:12 17920]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2006-09-05 19:02 184320]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-11 12:49 1177368]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 18:21 116224]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"WD Button Manager"="WDBtnMgr.exe" [2008-04-04 14:51 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"AirCardEnabler"="C:\Program Files\Sierra Wireless\Network Adapter Manager\Network Adapter Manager.exe" [2007-03-16 15:48 180224]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-03-05 12:14:53 25214]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 17:02:06 581693]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-02-01 11:42:31 184320]
Load Runner Agent Process.lnk - C:\Program Files\Mercury\LoadRunner\LAUNCH_SERVICE\bin\magentproc.exe [2007-05-31 15:46:28 36934]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= C:\WINDOWS\system32\ShellHook.dll [2007-06-06 11:16 46592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,APSHook.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"msacm.lameacm"= LameACM.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.PIMJ"= pvljpg20.dll
"VIDC.MJPX"= pvmjpg21.dll
"VIDC.PVW2"= pvwv220.dll
"VIDC.MSZH"= avimszh.dll
"VIDC.ZLIB"= avizlib.dll
"VIDC.vcr1"= ativcr1.dll
"VIDC.vcr2"= ativcr2.dll
"VIDC.ASV1"= asusasv1.dll
"VIDC.ASV2"= asusasv2.dll
"VIDC.I263"= i263_32.drv
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Microsoft Visual Studio 9.0\\Common7\\IDE\\devenv.exe"=
"C:\\Program Files\\Openwave\\V7 Simulator\\bin\\phone.exe"=
"C:\\Nokia\\Devices\\Nokia_Mobile_Browser_Simulator\\nmb.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\mstsc.exe"=
"C:\\Documents and Settings\\Administrator\\My Documents\\My Downloads\\WCF_WF_CardSpace_Samples\\WCF_WF_CardSpace_Samples\\WCF\\Extensibility\\Instancing\\Pooling\\CS\\service\\bin\\Service.exe"=
"C:\\Documents and Settings\\Administrator\\My Documents\\My Downloads\\WCF_WF_CardSpace_Samples\\WCF_WF_CardSpace_Samples\\WCF\\Extensibility\\Instancing\\Pooling\\CS\\service\\bin\\Service.vshost.exe"=
"C:\\Program Files\\Mercury Interactive\\QuickTest Professional\\bin\\AQTRmtAgent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\ReGet Software\\ReGet Deluxe\\ReGetDx.exe"=
"C:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"C:\\Program Files\\Mercury\\LoadRunner\\LAUNCH_SERVICE\\bin\\magentproc.exe"=
"C:\\Program Files\\Mercury Interactive\\COMPlus Monitor\\launch_service\\bin\\magentservice.exe"=
"C:\\Program Files\\Red Gate\\ANTS Profiler\\RedGate.Profiler.UI.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"135:TCP"= 135:TCP:DCOM
"9090:TCP"= 9090:TCP:TeamCity Agent Port

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-11 12:49]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-02-29 13:24]
R2 ANTSProfiler;ANTS Profiler service;"C:\Program Files\Red Gate\ANTS Profiler\RedGate.Profiler.Service.exe" [2005-10-06 11:16]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:00]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-14 10:43]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-24 08:46]
R2 LoadRunnerAgent;LoadRunner Agent Service;"C:\Program Files\Mercury Interactive\COMPlus Monitor\launch_service\bin\magentservice.exe" -service []
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE []
R2 OracleXETNSListener;OracleXETNSListener;C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-02 06:49]
R2 paldrv;paldrv;C:\WINDOWS\system32\pal_drv.sys [2006-02-21 19:18]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 14:00]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 SwiWiFiComm;SwiWiFiComm;C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe [2007-03-16 15:50]
R2 TCBuildAgent;TeamCity Build Agent Service;"C:\Program Files\TeamCity\buildAgent\launcher\bin\TeamCityAgentService-windows-x86-32.exe" -s "C:\Program Files\TeamCity\buildAgent\launcher\conf\wrapper.conf" []
R2 TeamCity;TeamCity Web Server;"C:\Program Files\TeamCity\bin\tomcat6.exe" //RS//TeamCity []
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 11:46]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2005-06-10 14:26]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 apusbsnt;Sierra Wireless USB Modem Device Driver;C:\WINDOWS\system32\DRIVERS\apusbsnt.sys [2006-08-24 15:56]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 08:13]
S3 npacketdriver;Ethernet Packet Driver;C:\WINDOWS\system32\drivers\npacket.sys [2004-02-13 12:36]
S3 npacketservice;Ethernet Packet Service;C:\WINDOWS\system32\npacketsvc.exe [2004-02-13 12:36]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2003-09-04 13:38]
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{030938ba-024d-11dd-97b7-001a6b228ac8}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37cb6c00-eb58-11dc-978d-001a6b228ac8}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL LIAB_UI/LIAB/default.html

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37cb6c34-eb58-11dc-978d-0016d4c28a11}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38f7386f-079d-11dd-97bf-001a6b228ac8}]
\Shell\Auto\command - H:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38f73870-079d-11dd-97bf-001a6b228ac8}]
\Shell\Auto\command - I:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38f73871-079d-11dd-97bf-001a6b228ac8}]
\Shell\Auto\command - J:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38f73872-079d-11dd-97bf-001a6b228ac8}]
\Shell\Auto\command - K:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f8dab5b-ceec-11dc-9759-0019d2796b8f}]
\Shell\Auto\command - I:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d77ac96-13d8-11dd-97ce-0016d4c28a11}]
\Shell\Auto\command - G:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6047a121-ffdb-11dc-97b5-001a6b228ac8}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6047a16e-ffdb-11dc-97b5-001a6b228ac8}]
\Shell\AutoRun\command - H:\op.bat
\Shell\explore\Command - H:\op.bat
\Shell\open\Command - H:\op.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6204379c-d28d-11dc-976a-001a6b228ac8}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6204379f-d28d-11dc-976a-0016d4c28a11}]
\Shell\Auto\command - G:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e71e9e4-1072-11dd-97c8-001a6b228ac8}]
\Shell\AutoRun\command - G:\t.com
\Shell\explore\Command - G:\t.com
\Shell\open\Command - G:\t.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ade6d923-eda2-11dc-9792-001a6b228ac8}]
\Shell\Auto\command - G:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2c9aeec-d333-11dc-976b-0016d4c28a11}]
\Shell\Auto\command - H:\asp.net
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccdb8454-e227-11dc-977f-001a6b228ac8}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f68e5d16-e9c6-11dc-978a-001a6b228ac8}]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFB867B-0BA0-4B37-A370-E4B4A02EC792}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {BAFB867B-0BA0-4B37-A370-E4B4A02EC792}
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 14:18:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????f??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asp.net]
"ImagePath"="C:\Program Files\Common Files\Microsoft Shared\MSINFO\asp.net"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
C:\Program Files\TeamCity\buildAgent\launcher\bin\TeamCityAgentService-windows-x86-32.exe
C:\Program Files\TeamCity\jre\bin\java.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\TeamCity\jre\bin\java.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sony Ericsson\Mobile2\File Manager\FMObexServer.exe
C:\Program Files\Sony Ericsson\Mobile2\Sync Manager\SyncController.exe
.
**************************************************************************
.
Completion time: 2008-04-30 14:30:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 13:30:06

Pre-Run: 300,908,544 bytes free
Post-Run: 230,883,328 bytes free

389 --- E O F --- 2008-04-17 11:13:46

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 05 May 2008 - 02:36 PM

Welcoming to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

Do you still need help? If so read the directions posted above and pinned to the top of this forum. Then start like this:

Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply using Add Reply.

describe any symptoms that are still occuring and post any error messages you receive "word for word".

If your issues are resolved, post to let me know so I can close your topic.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 12 May 2008 - 06:41 AM

There has been no response to this topic in a week
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users