Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with 6700.cn


  • This topic is locked This topic is locked
33 replies to this topic

#1 MroseFlex

MroseFlex

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 December 2008 - 05:02 PM

Good afternoon.

I've beeen trying like mad to remove the mess one of my clients made to their computer. However, everytime I think I have it resolved, I notice the homepage keeps changing to 6700.cn. And now I'm starting to get notifications that my jump drive exe files are starting to get infected with viruses when I pop it into the infected machine. I've already run ATF cleaner and used OTScan2 to collect up a log file.

Attached is the OTScan2 log file. Any help you kind folk can give me on this issue would be greatly appreciated! At this point I can't even open a browser to run an online scan on this workstation.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:12 PM

Posted 03 December 2008 - 05:12 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


This particular infection is very difficult to remove and there's no guarantee that we will be able to get rid of it. But I'm willing to give it a go if you are.


First we need to get some info.
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop.
  • Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Copy and Paste the logs into your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 MroseFlex

MroseFlex
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 December 2008 - 05:34 PM

Thanks for the quick reply!

Attached are the two log files you requested. Feel free to take a lil time looking them over. My office is currently closing for the day and I won't be able to continue cleaning up this machine until tomorrow morning.

Thanks again for all your help!


OTViewIt logfile created on: 12/3/2008 5:29:43 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.48 Mb Total Physical Memory | 235.53 Mb Available Physical Memory | 46.78% Memory free
1.20 Gb Paging File | 0.94 Gb Available in Paging File | 77.84% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 25.48 Gb Free Space | 68.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP89521119321
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/10/01 12:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2007/05/30 07:31:10 | 00,312,880 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2007/01/12 17:45:32 | 00,249,904 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
[2005/03/14 11:05:02 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
[2005/10/20 10:54:16 | 00,126,976 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Intuit\QuickBooks Pro\QBDBMgrN.exe
[2003/11/12 13:46:34 | 00,049,152 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\retrorun.exe
[2007/01/12 17:45:24 | 00,590,384 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2005/11/27 09:28:24 | 00,032,256 | ---- | M] () -- C:\WINDOWS\system32\csrsc.exe
[2007/01/12 17:45:28 | 00,251,440 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
[2001/05/01 17:06:22 | 00,053,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe
[2007/01/12 17:45:32 | 00,897,584 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
[2007/06/11 04:25:42 | 06,731,312 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2004/08/04 02:56:57 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2004/08/04 02:56:57 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
[2008/12/03 17:24:50 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

File not found -- -- (98674B5C [Disabled | Stopped])
[2008/10/01 12:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2003/02/20 19:19:38 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/05/30 07:31:10 | 00,312,880 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe -- (AVG Anti-Spyware Guard [Auto | Running])
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2007/01/12 17:45:32 | 00,249,904 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC [Auto | Running])
[2007/07/10 14:51:06 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2008/10/01 17:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2008/11/24 19:49:43 | 00,012,288 | ---- | M] (icepoint) -- C:\WINDOWS\sxfdwe4h.exe -- (kwg2harh [Disabled | Stopped])
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE -- (MDM [Auto | Running])
File not found -- -- (Nationalv1119 [Disabled | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/03/14 11:05:02 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
[2005/10/20 10:54:16 | 00,126,976 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Intuit\QuickBooks Pro\QBDBMgrN.exe -- (QuickBooksDB [Auto | Running])
[2003/11/12 13:46:34 | 00,049,152 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\retrorun.exe -- (RetroLauncher [Auto | Running])
File not found -- -- (Serchost [Disabled | Stopped])
File not found -- -- (ServiceLink [Disabled | Stopped])
[2005/01/28 13:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2005/11/27 09:28:24 | 00,032,256 | ---- | M] () -- C:\WINDOWS\system32\csrsc.exe -- (WinSpoolSvc [Auto | Running])
[2001/05/01 17:06:22 | 00,053,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
File not found -- -- (x10nets [On_Demand | Stopped])
File not found -- -- (xxz [Disabled | Stopped])
File not found -- -- (yanha [Disabled | Stopped])

========== Driver Services ==========

[2001/08/17 02:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Stopped])
[2002/05/08 13:44:42 | 00,105,472 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])
[2003/03/13 13:34:48 | 00,100,224 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
[2003/04/08 08:47:26 | 00,188,506 | R--- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\system32\drivers\aticxcap.sys -- (ATICXCAP [On_Demand | Running])
[2003/04/08 08:47:28 | 00,031,003 | R--- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\system32\drivers\aticxtun.sys -- (ATICXTUN [On_Demand | Running])
[2003/04/08 08:47:28 | 00,009,882 | R--- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\system32\drivers\aticxxbr.sys -- (ATICXXBR [On_Demand | Running])
[2007/05/30 07:10:42 | 00,011,000 | ---- | M] () -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys -- (AVG Anti-Spyware Driver [System | Running])
[2007/05/30 07:10:42 | 00,010,872 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\AvgAsCln.sys -- (AvgAsCln [System | Running])
[2003/02/17 07:22:24 | 00,170,880 | R--- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k [On_Demand | Running])
[2003/02/05 14:22:32 | 00,050,816 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp [On_Demand | Stopped])
[2005/04/10 16:55:16 | 00,013,440 | ---- | M] (ICSI Technology Ltd.) -- C:\WINDOWS\system32\drivers\USBCRFT.SYS -- (CardReaderFilter [On_Demand | Stopped])
[2004/01/09 16:01:58 | 00,066,992 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
[2004/01/09 16:01:56 | 00,024,698 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
[2004/01/09 16:01:56 | 00,259,200 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp [System | Running])
[2004/01/09 16:01:56 | 00,021,993 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K [On_Demand | Running])
[2001/08/17 02:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Stopped])
[2007/03/22 12:57:14 | 00,028,672 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro [Auto | Running])
[2007/03/22 12:57:14 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr [Auto | Running])
[2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2005/10/27 19:24:28 | 00,049,664 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2005/10/27 19:24:29 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2005/10/27 19:24:30 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2004/08/04 00:29:36 | 00,161,020 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x [On_Demand | Stopped])
[2004/08/04 00:29:37 | 00,012,415 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0 [On_Demand | Stopped])
[2004/08/04 00:29:37 | 00,012,127 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1 [On_Demand | Stopped])
[2004/08/04 00:29:37 | 00,011,775 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2 [On_Demand | Stopped])
[2004/08/04 00:29:47 | 00,012,063 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3 [On_Demand | Stopped])
[2004/08/04 00:29:49 | 00,019,455 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4 [On_Demand | Stopped])
[2004/08/04 00:29:41 | 00,029,311 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0 [On_Demand | Stopped])
[2004/08/04 00:29:42 | 00,019,551 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1 [On_Demand | Stopped])
[2004/08/04 00:29:43 | 00,033,599 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3 [On_Demand | Stopped])
[2004/08/04 00:29:45 | 00,023,615 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4 [On_Demand | Stopped])
[2003/03/13 13:13:04 | 00,090,395 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2004/08/04 00:58:34 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2004/01/09 16:01:56 | 00,022,745 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K [On_Demand | Stopped])
[2005/12/31 16:02:47 | 00,028,352 | ---- | M] (MusicMatch, Inc.) -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [On_Demand | Running])
[2003/09/19 14:47:24 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2003/03/30 21:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2004/01/09 16:01:56 | 00,118,409 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k [System | Running])
[2003/03/30 21:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2003/05/27 12:05:42 | 00,578,304 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam [On_Demand | Running])
[2004/08/04 02:56:43 | 00,028,896 | ---- | M] () -- C:\WINDOWS\system32\drivers\npgwyhr.sys -- (swprgea [Boot | Running])
[2001/08/17 11:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])
[2001/08/17 11:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2002/04/04 01:32:06 | 00,028,416 | R--- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symmpi.sys -- (Symmpi [Disabled | Stopped])
[2001/08/17 11:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2001/08/17 11:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
[2004/01/09 16:01:56 | 00,213,120 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp [System | Running])
[2008/10/01 12:01:28 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
[2002/01/07 16:28:48 | 00,010,761 | ---- | M] (X10 Wireless Technology, Inc.) -- C:\WINDOWS\system32\drivers\x10uif.sys -- (X10UIF [On_Demand | Stopped])
[2003/03/13 13:14:28 | 00,112,288 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Running])
[2003/03/13 13:14:16 | 00,078,496 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://go.compaq.com/1Q00CDT/0409/bl7.asp

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=www.6700.cn?tn=1027201om/isapi/redir.dll?prd

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
"provider"=yaho

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=www.6700.cn?tn=1027201om/isapi/redir.dll?prd

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=www.6700.cn?tn=1027201om/isapi/redir.dll?prd

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=www.6700.cn?tn=1027201osoft\Internet Explore

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=www.6700.cn?tn=1027201osoft\Internet Explore

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-1007\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\System32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=www.6700.cn?tn=1027201/www.microsoft.com/isa

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-1007\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-1007\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=www.6700.cn?tn=1027201/www.microsoft.com/isa

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
"provider"=yaho

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (22429 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.enliven.com
127.0.0.1 oz.valueclick.com
127.0.0.1 doubleclick.net
127.0.0.1 ads.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
672 more lines...

========== (O3) Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar1.dll File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar1.dll File not found

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll File not found

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar1.dll File not found

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll File not found

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar1.dll File not found

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll File not found

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar1.dll File not found

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar1.dll File not found

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized (GRISOFT s.r.o.)

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=227
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"HideStartupScripts"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"DisableRegistryTools"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"CDRAutoRun"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"CDRAutoRun"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"DisableRegistryTools"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office10\EXCEL.EXE [2003/12/03 17:04:40 | 09,189,896 | R--- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office10\EXCEL.EXE [2003/12/03 17:04:40 | 09,189,896 | R--- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- Reg Error: Key does not exist or could not be opened. File not found
{44226DFF-747E-4edc-B30C-78752E50CD0C}: Button: ATI TV -- %ProgramFiles%\ATI Multimedia\tv\EXPLBAR.DLL [2003/06/13 06:38:30 | 00,139,341 | ---- | M] (ATI Technologies Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 02:56:53 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 02:56:53 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Sun Java Console] -> File not found
CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} [HKLM] -> %ProgramFiles%\ATI Multimedia\tv\EXPLBAR.DLL [&ATI TV] -> [2003/06/13 06:38:30 | 00,139,341 | ---- | M] (ATI Technologies Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 02:56:53 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Sun Java Console] -> File not found
CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} [HKLM] -> %ProgramFiles%\ATI Multimedia\tv\EXPLBAR.DLL [&ATI TV] -> [2003/06/13 06:38:30 | 00,139,341 | ---- | M] (ATI Technologies Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 02:56:53 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Sun Java Console] -> File not found
CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} [HKLM] -> %ProgramFiles%\ATI Multimedia\tv\EXPLBAR.DLL [&ATI TV] -> [2003/06/13 06:38:30 | 00,139,341 | ---- | M] (ATI Technologies Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 02:56:53 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Sun Java Console] -> File not found
CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} [HKLM] -> %ProgramFiles%\ATI Multimedia\tv\EXPLBAR.DLL [&ATI TV] -> [2003/06/13 06:38:30 | 00,139,341 | ---- | M] (ATI Technologies Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 02:56:53 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}: http://go.microsoft.com/fwlink/?linkid=67633 -- Office Genuine Advantage Validation Tool
{166B1BCA-3F9C-11CF-8075-444553540000}: http://fpdownload.macromedia.com/get/shock...director/sw.cab -- Shockwave ActiveX Control
{17492023-C23A-453E-A040-C7C580BBF700}: http://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{21F49842-BFA9-11D2-A89C-00104B62BDDA}: http://www.schaeffersresearch.com/download/CfxIEAx.cab -- ChartFX Internet Control
{24BACF02-5676-11D3-B8DE-00105A17A9E6}: http://www.schaeffersresearch.com/Download/Cfx4Financial.cab -- ChartFX Internet Financial Client 4.0
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}: C:\Program Files\Yahoo!\Common\Yinsthelper.dll -- Installation Support
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}: http://office.microsoft.com/officeupdate/content/opuc.cab -- Office Update Installation Engine
{44990301-3C9D-426D-81DF-AAB636FA4345}: https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab -- Symantec Script Runner Class
{460324E8-CFB4-4357-85EF-CE3EBFE23A62}: https://gts.bankofamerica.com/crystalreport...tiveXViewer.cab -- Crystal ActiveX Report Viewer Control 11.0
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://www.update.microsoft.com/microsoftu...b?1216662850234 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://www.update.microsoft.com/microsoftu...b?1216662811734 -- MUWebControl Class
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}: http://support.f-secure.com/ols/fscax.cab -- F-Secure Online Scanner 3.3
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}: https://linksyssupport.webex.com/client/T26...ort/ieatgpc.cab -- GpcContainer Class

========== (O17) DNS Name Servers ==========

{4F234545-411C-4A10-BBD8-C8E15233E80C} (Servers: | Description: )
{605C8F45-369B-432D-A029-4BCC7D8DC6F0} (Servers: | Description: Broadcom NetXtreme Gigabit Ethernet for hp)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
GoToMyPC: "DllName" = C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll -- C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)

========== IFEO "Debugger" Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
360Safe.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
adffgh785v.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
AoYun.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
appdllman.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
AutoRun.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
autoruns.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
avgrssvc.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
AvMonitor.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
avp.com:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
avp.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
CCenter.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
ccSvcHst.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
cross.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
Discovery.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
FileDsty.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
FTCleanerShell.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
guangd.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
HijackThis.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
IceSword.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
iparmo.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
Iparmor.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
isPwdSvc.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
kabaload.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KaScrScn.SCR:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KASMain.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KASTask.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KAV32.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KAVDX.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KAVPFW.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KAVSetup.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KAVStart.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
kernelwind32.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KISLnchr.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KMailMon.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KMFilter.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KPFW32.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KPFW32X.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KPFWSvc.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KRegEx.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KRepair.COM:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KsLoader.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KVCenter.kxp:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KvDetect.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KvfwMcl.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KVMonXP.kxp:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KVMonXP_1.kxp:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
kvol.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
kvolself.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KvReport.kxp:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KVSrvXP.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KVStub.kxp:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
kvupload.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
kvwsc.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KvXP.kxp:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KWatch.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KWatch9x.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
KWatchX.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
loaddll.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
logogo.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
MagicSet.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
mcconsol.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
mmqczj.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
mmsk.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
NAVSetup.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
niu.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
nod32krn.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
nod32kui.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
pagefile.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
pagefile.pif:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
PFW.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found
PFWLiveUpdate.exe:"Debugger" = C:\WINDOWS\system32\keepSafe.exe File not found

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" (HKLM) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee50b5b2-6350-11da-8b54-001185799da5}\Shell\AutoRun\command]
""=F:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe -- File not found


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee50b5b2-6350-11da-8b54-001185799da5}\Shell\open\command]
""=F:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\Documents and Settings\Administrator\My Documents\*.tmp files]
[2008/12/03 17:28:06 | 52,801,1264 | -HS- | C] () -- C:\hiberfil.sys
[2008/12/03 17:27:19 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe
[2008/12/03 16:43:13 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2008/12/03 16:39:10 | 00,032,256 | ---- | C] () -- C:\WINDOWS\System32\csrsc.exe
[2008/12/03 16:23:20 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\sh02004.add
[2008/12/03 16:22:30 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\csrss.dll
[2008/12/03 16:20:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2008/12/03 16:14:52 | 00,000,000 | ---D | C] -- C:\ComboFix
[2008/12/03 16:10:04 | 00,000,000 | ---D | C] -- C:\fsaua.data
[2008/12/03 14:32:05 | 00,000,000 | ---D | C] -- C:\_OTScanIt
[2008/12/03 14:23:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\OTScanIt2
[2008/12/03 14:23:10 | 00,647,651 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\OTScanIt2.exe
[2008/12/03 11:04:08 | 00,023,376 | ---- | C] () -- C:\WINDOWS\System32\mmxd4db3.exe
[2008/12/03 11:01:18 | 00,000,204 | -HS- | C] () -- C:\WINDOWS\System32\EA44A26D.cfg
[2008/12/03 10:51:32 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2008/12/03 09:57:53 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2008/12/03 09:57:53 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2008/12/03 09:57:53 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2008/12/03 09:57:53 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2008/12/03 09:57:53 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2008/12/03 09:57:53 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2008/12/03 09:57:53 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2008/12/03 09:57:53 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2008/12/03 09:57:53 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2008/12/03 09:57:27 | 03,057,031 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2008/12/03 09:56:58 | 00,000,068 | ---- | C] () -- C:\WINDOWS\System32\012f
[2008/11/24 21:12:20 | 00,000,270 | ---- | C] () -- C:\WINDOWS\asdfg232g2g.ini
[2008/11/24 21:12:20 | 00,000,004 | ---- | C] () -- C:\WINDOWS\myver.ini
[2008/11/24 19:57:07 | 00,019,915 | ---- | C] () -- C:\WINDOWS\System32\romspring.dat
[2008/11/24 19:57:04 | 00,000,247 | ---- | C] () -- C:\WINDOWS\System32\romarshal.dat
[2008/11/24 19:49:43 | 00,124,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2008/11/24 19:49:43 | 00,012,288 | ---- | C] (icepoint) -- C:\WINDOWS\sxfdwe4h.exe
[2008/11/24 19:49:43 | 00,000,444 | ---- | C] () -- C:\WINDOWS\ddfg23q4tje.ini
[2008/11/24 19:49:40 | 00,092,672 | ---- | C] (dgw3hjjhqw) -- C:\WINDOWS\kwg2harh.exe
[2008/11/24 14:37:58 | 02,489,492 | ---- | C] () -- C:\WINDOWS\System32\bpwtavpo.dll
[2008/11/24 13:06:01 | 00,032,768 | -HS- | C] () -- C:\WINDOWS\System32\wd1123.dll
[2008/11/24 13:05:28 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\kandoftt.dll
[2008/11/24 13:05:28 | 00,012,800 | ---- | C] () -- C:\WINDOWS\System32\kandofttk.exe
[2008/11/24 11:49:10 | 00,000,212 | -HS- | C] () -- C:\WINDOWS\System32\4FBFD5A4.cfg
[2008/11/24 11:45:41 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\sh21017.exe
[2008/11/21 08:44:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Sintermet
[2008/11/19 13:44:21 | 00,077,824 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NAT CONVERSION APT TO GESAC.xls
[2008/11/19 13:42:41 | 00,062,464 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NAT concentrate-2008 Supply.xls
[2008/11/19 11:17:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Wall Colmonoy
[2008/11/19 11:11:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Metadyne
[2008/11/19 10:39:12 | 00,030,720 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Consignment Agreement Wall Colmonoy.doc
[2008/11/18 07:24:44 | 00,013,547 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\GeoDynamics.eml
[2008/11/13 16:13:46 | 00,023,040 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Allan C. Bir.xls
[2008/11/07 11:03:03 | 00,060,928 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Cemented Carbide Pellets Engineering Specs.doc
[2008/11/07 10:55:23 | 00,043,008 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Mutual Confidential Disclosure Agreement PST Standard March 2008 (1).doc

========== Files - Modified Within 30 Days ==========

[2 C:\Documents and Settings\Administrator\My Documents\*.tmp files]
[2021/05/26 00:00:00 | 00,065,536 | RHS- | M] (官人我要) -- C:\grwy.exe
[2008/12/03 17:28:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/12/03 17:28:06 | 52,801,1264 | -HS- | M] () -- C:\hiberfil.sys
[2008/12/03 17:28:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/12/03 17:27:36 | 02,205,456 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2008/12/03 17:24:50 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTViewIt.exe
[2008/12/03 17:00:00 | 00,000,262 | ---- | M] () -- C:\WINDOWS\tasks\af4ac.job
[2008/12/03 17:00:00 | 00,000,254 | ---- | M] () -- C:\WINDOWS\tasks\af4b.job
[2008/12/03 16:56:00 | 00,000,380 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2008/12/03 16:23:20 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\sh02004.add
[2008/12/03 16:18:11 | 00,000,258 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/12/03 14:07:00 | 00,647,651 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\OTScanIt2.exe
[2008/12/03 11:33:25 | 00,000,270 | ---- | M] () -- C:\WINDOWS\asdfg232g2g.ini
[2008/12/03 11:31:59 | 00,000,444 | ---- | M] () -- C:\WINDOWS\ddfg23q4tje.ini
[2008/12/03 11:22:24 | 00,138,056 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/12/03 11:17:49 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2008/12/03 11:04:10 | 00,023,376 | ---- | M] () -- C:\WINDOWS\System32\mmxd4db3.exe
[2008/12/03 11:01:18 | 00,000,204 | -HS- | M] () -- C:\WINDOWS\System32\EA44A26D.cfg
[2008/12/03 10:59:31 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2008/12/03 10:59:10 | 00,000,892 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/12/03 10:55:14 | 00,001,672 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Internet Explorer.lnk
[2008/12/03 09:56:58 | 00,000,068 | ---- | M] () -- C:\WINDOWS\System32\012f
[2008/12/03 09:56:58 | 00,000,030 | ---- | M] () -- C:\WINDOWS\System32\78-145-53
[2008/12/03 09:55:20 | 03,057,031 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2008/12/03 09:41:17 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/12/03 09:41:16 | 00,004,608 | ---- | M] () -- C:\WINDOWS\System32\sh21017.exe
[2008/12/02 12:34:22 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe
[2008/11/24 21:12:20 | 00,000,004 | ---- | M] () -- C:\WINDOWS\myver.ini
[2008/11/24 19:49:43 | 00,124,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2008/11/24 19:49:43 | 00,012,288 | ---- | M] (icepoint) -- C:\WINDOWS\sxfdwe4h.exe
[2008/11/24 14:37:58 | 02,489,492 | ---- | M] () -- C:\WINDOWS\System32\bpwtavpo.dll
[2008/11/24 14:37:36 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\kandoftt.dll
[2008/11/24 14:37:36 | 00,012,800 | ---- | M] () -- C:\WINDOWS\System32\kandofttk.exe
[2008/11/24 11:49:10 | 00,000,212 | -HS- | M] () -- C:\WINDOWS\System32\4FBFD5A4.cfg
[2008/11/24 11:10:42 | 00,216,064 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Faxs.doc
[2008/11/24 10:17:14 | 00,063,488 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NAT Master File.xls
[2008/11/19 13:44:21 | 00,077,824 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NAT CONVERSION APT TO GESAC.xls
[2008/11/19 13:42:41 | 00,062,464 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NAT concentrate-2008 Supply.xls
[2008/11/19 10:49:10 | 00,030,720 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Consignment Agreement Wall Colmonoy.doc
[2008/11/18 07:24:44 | 00,013,547 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\GeoDynamics.eml
[2008/11/13 16:13:46 | 00,023,040 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Allan C. Bir.xls
[2008/11/11 09:13:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008/11/07 12:29:37 | 00,060,928 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Cemented Carbide Pellets Engineering Specs.doc
[2008/11/07 11:03:58 | 00,043,008 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mutual Confidential Disclosure Agreement PST Standard March 2008 (1).doc
< End of report >

Attached Files


Edited by Buckeye_Sam, 03 December 2008 - 05:44 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:12 PM

Posted 04 December 2008 - 02:57 PM

Ok, let's get started on this monster. :thumbsup:

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\WINDOWS\system32\csrsc.exe
    C:\WINDOWS\sxfdwe4h.exe
    C:\WINDOWS\System32\sh02004.add
    C:\WINDOWS\System32\csrss.dll
    C:\WINDOWS\System32\mmxd4db3.exe
    C:\WINDOWS\System32\MSWINSCK.OCX
    C:\WINDOWS\sxfdwe4h.exe
    C:\WINDOWS\ddfg23q4tje.ini
    C:\WINDOWS\kwg2harh.exe
    C:\WINDOWS\System32\bpwtavpo.dll
    C:\WINDOWS\System32\wd1123.dll
    C:\WINDOWS\System32\kandoftt.dll
    C:\WINDOWS\System32\kandofttk.exe
    C:\WINDOWS\System32\4FBFD5A4.cfg
    C:\WINDOWS\System32\sh21017.exe
    
    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    [HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    [HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    [HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-1007\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    [HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\SOFTWARE\Microsoft\Internet Explorer\Main]
    "Start Page"=-
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee50b5b2-6350-11da-8b54-001185799da5}\Shell\AutoRun\command]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee50b5b2-6350-11da-8b54-001185799da5}\Shell\open\command]
    
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


===================


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 MroseFlex

MroseFlex
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 04 December 2008 - 05:12 PM

OTMoveIt3 Log:

========== FILES ==========
File/Folder C:\WINDOWS\system32\csrsc.exe not found.
C:\WINDOWS\sxfdwe4h.exe moved successfully.
C:\WINDOWS\System32\sh02004.add moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\csrss.dll
C:\WINDOWS\System32\csrss.dll NOT unregistered.
C:\WINDOWS\System32\csrss.dll moved successfully.
C:\WINDOWS\System32\mmxd4db3.exe moved successfully.
C:\WINDOWS\System32\MSWINSCK.OCX unregistered successfully.
C:\WINDOWS\System32\MSWINSCK.OCX moved successfully.
File/Folder C:\WINDOWS\sxfdwe4h.exe not found.
C:\WINDOWS\ddfg23q4tje.ini moved successfully.
C:\WINDOWS\kwg2harh.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\bpwtavpo.dll
C:\WINDOWS\System32\bpwtavpo.dll NOT unregistered.
C:\WINDOWS\System32\bpwtavpo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wd1123.dll
C:\WINDOWS\System32\wd1123.dll NOT unregistered.
C:\WINDOWS\System32\wd1123.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\kandoftt.dll
C:\WINDOWS\System32\kandoftt.dll NOT unregistered.
C:\WINDOWS\System32\kandoftt.dll moved successfully.
C:\WINDOWS\System32\kandofttk.exe moved successfully.
C:\WINDOWS\System32\4FBFD5A4.cfg moved successfully.
C:\WINDOWS\System32\sh21017.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page not found.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry key HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-1007\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry value HKEY_USERS\S-1-5-21-136945612-3436164768-3927720206-500\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee50b5b2-6350-11da-8b54-001185799da5}\Shell\AutoRun\command\\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee50b5b2-6350-11da-8b54-001185799da5}\Shell\open\command\\ not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12042008_161740


I'll try to put the ComboFix Log in the next post. It is too large to upload as an attachment.

#6 MroseFlex

MroseFlex
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 04 December 2008 - 05:15 PM

ComboFix Log is 658KB. It won't let me attach it and when I try to post it I get an error telling me it is too long.

I can post it in sections if that helps...

#7 MroseFlex

MroseFlex
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 04 December 2008 - 05:27 PM

Long day...

I was able to zip it and attach.

:thumbsup:


ComboFix 08-12-04.04 - Administrator 2008-12-04 16:55:15.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.232 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_005679_.tmp.dll
c:\windows\system32\_005680_.tmp.dll
c:\windows\system32\_005681_.tmp.dll
c:\windows\system32\_005682_.tmp.dll
c:\windows\system32\_005683_.tmp.dll
c:\windows\system32\_005689_.tmp.dll
c:\windows\system32\_005690_.tmp.dll
c:\windows\system32\_005691_.tmp.dll
c:\windows\system32\_005692_.tmp.dll
c:\windows\system32\_005694_.tmp.dll
c:\windows\system32\_005695_.tmp.dll
c:\windows\system32\_005698_.tmp.dll
c:\windows\system32\_005699_.tmp.dll
c:\windows\system32\_005701_.tmp.dll
c:\windows\system32\_005702_.tmp.dll
c:\windows\system32\_005703_.tmp.dll
c:\windows\system32\_005705_.tmp.dll
c:\windows\system32\_005708_.tmp.dll
c:\windows\system32\_005709_.tmp.dll
c:\windows\system32\_005713_.tmp.dll
c:\windows\system32\_005714_.tmp.dll
c:\windows\system32\_005716_.tmp.dll
c:\windows\system32\_005718_.tmp.dll
c:\windows\system32\_005719_.tmp.dll
c:\windows\system32\_005721_.tmp.dll
c:\windows\system32\_005722_.tmp.dll
c:\windows\system32\_005723_.tmp.dll
c:\windows\system32\_005724_.tmp.dll
c:\windows\system32\_005725_.tmp.dll
c:\windows\system32\_005728_.tmp.dll
c:\windows\system32\_005729_.tmp.dll
c:\windows\system32\_005730_.tmp.dll
c:\windows\system32\_005731_.tmp.dll
c:\windows\system32\_005732_.tmp.dll
c:\windows\system32\_005737_.tmp.dll
c:\windows\system32\_005739_.tmp.dll
c:\windows\system32\_005740_.tmp.dll
c:\windows\system32\06EA0A93.cfg
c:\windows\system32\06EA0A93.dll
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\133AEAC9.cfg
c:\windows\system32\133AEAC9.dll
c:\windows\system32\201476D0.cfg
c:\windows\system32\201476D0.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\2EF0D734.dll
c:\windows\system32\56BC86C7.cfg
c:\windows\system32\56BC86C7.dll
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\5934EA2B.dll
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\66AFCB56.dll
c:\windows\system32\7.tmp
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9CA963CA.dll
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\config\systemprofile\Favorites\һ.url
c:\windows\system32\D7C79813.cfg
c:\windows\system32\D7C79813.dll
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFB3DAC5.cfg
c:\windows\system32\DFB3DAC5.dll
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\E0D39066.cfg
c:\windows\system32\E0D39066.dll
c:\windows\system32\E44343AD.cfg
c:\windows\system32\E44343AD.dll
c:\windows\system32\E4814792.cfg
c:\windows\system32\E4814792.dll
c:\windows\system32\EA44A26D.dll
c:\windows\system32\f28907d.sys
c:\windows\system32\FFAE967F.cfg
c:\windows\system32\FFAE967F.dll
c:\windows\system32\HBJXSJ.dll
c:\windows\system32\HBWOW.dll
c:\windows\system32\sh02004.dll
c:\windows\system32\wtx101c0.dll
c:\windows\system32\wtxaa567.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_F28907D
-------\Service_aliimz
-------\Service_f28907d
-------\Service_HBKernel32


((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 16:17 . 2008-12-04 16:17 <DIR> d-------- C:\_OTMoveIt
2008-12-04 16:14 . 2008-12-04 15:18 349,696 --a------ C:\OTMoveIt3.exe
2008-12-04 15:39 . 2008-12-04 15:18 349,696 --a------ c:\documents and settings\Administrator\OTMoveIt3.exe
2008-12-04 15:01 . 2008-12-04 15:01 303 --a------ c:\windows\system32\MRT.INI
2008-12-04 15:00 . 2008-12-04 15:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-04 14:51 . 2008-10-03 12:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-04 14:51 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-04 14:51 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-04 14:51 . 2008-08-26 02:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-04 14:51 . 2008-08-26 02:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-04 14:51 . 2008-08-26 02:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-04 14:51 . 2008-08-26 02:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-04 14:51 . 2008-08-26 02:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-04 14:51 . 2008-08-25 03:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-04 14:41 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-04 14:41 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-04 14:40 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-04 14:40 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-04 14:40 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-04 14:40 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-04 14:40 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-04 14:40 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-04 14:40 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-12-04 14:40 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-04 14:39 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-04 14:38 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-04 14:38 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-04 14:38 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-04 12:35 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2008-12-04 12:35 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2008-12-04 12:33 . 2006-12-29 00:31 19,569 --a------ c:\windows\003164_.tmp
2008-12-04 12:31 . 2008-12-04 12:31 23,361 --a------ c:\windows\system32\mmx101c0.exe
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\system32\scripting
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\system32\en
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\l2schemas
2008-12-04 12:10 . 2008-04-14 05:42 354,304 --a------ c:\windows\system32\SETF92.tmp
2008-12-04 12:10 . 2008-04-14 05:42 80,896 --a------ c:\windows\system32\SETF8D.tmp
2008-12-04 12:10 . 2008-04-14 05:42 6,656 --a------ c:\windows\system32\SETF8A.tmp
2008-12-04 12:07 . 2008-04-14 05:42 471,552 --a------ c:\windows\system32\SET578.tmp
2008-12-04 12:07 . 2008-04-14 05:41 95,744 --a------ c:\windows\system32\SET57E.tmp
2008-12-04 12:03 . 2006-12-29 00:31 19,569 --a------ c:\windows\005419_.tmp
2008-12-04 12:00 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-04 10:18 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 10:18 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 10:13 . 2008-12-04 10:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 10:13 . 2008-12-04 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 16:10 . 2008-12-03 16:10 <DIR> d-------- C:\fsaua.data
2008-12-03 14:32 . 2008-12-03 14:32 <DIR> d-------- C:\_OTScanIt
2008-12-03 11:01 . 2008-12-03 11:01 204 --ahs---- c:\windows\system32\EA44A26D.cfg
2008-12-03 10:51 . 2008-12-03 10:51 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-03 09:56 . 2008-12-03 09:56 68 --a------ c:\windows\system32\012f
2008-11-25 07:06 . 2008-11-25 07:06 20,060 --a------ c:\documents and settings\cccc.exe
2008-11-24 21:12 . 2008-12-03 11:33 270 --a------ c:\windows\asdfg232g2g.ini
2008-11-24 21:12 . 2008-11-24 21:12 4 --a------ c:\windows\myver.ini
2008-11-24 20:56 . 2008-11-24 20:56 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2008-11-24 19:57 . 2005-11-27 13:32 19,915 --a------ c:\windows\system32\romspring.dat
2008-11-24 19:57 . 2005-12-01 14:39 247 --a------ c:\windows\system32\romarshal.dat
2008-11-24 19:49 . 2005-11-26 20:11 92,672 --a------ c:\documents and settings\xiaoxi.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2021-05-26 05:00 65,536 --sha-r C:\grwy.exe
2008-12-01 22:31 --------- d-----w c:\program files\WinAce
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:19 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-23 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-23 14:59 --------- d-----w c:\program files\QuickTime
2008-10-23 14:59 --------- d-----w c:\program files\iPod
2008-10-23 14:59 --------- d-----w c:\program files\Bonjour
2008-10-23 14:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-23 14:58 --------- d-----w c:\program files\Common Files\Apple
2008-10-23 14:57 --------- d-----w c:\program files\Apple Software Update
2008-10-23 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-21 14:10 --------- d-----w c:\program files\Common Files\Business Objects
2008-10-21 13:28 --------- d-----w c:\program files\DIFX
2008-10-21 13:28 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2008-10-07 13:09 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-09-10 11:36 26,336 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-12-01 19:39 717,312 ----a-w c:\documents and settings\Administrator\gotomypc_410.exe
2005-12-01 19:39 705,536 ----a-w c:\documents and settings\Administrator\gotomypc_397.exe
2005-12-01 19:39 573,952 ----a-w c:\documents and settings\Administrator\gotomypc_370.exe
2005-12-01 19:39 3,586,200 ----a-w c:\documents and settings\Administrator\gosetup.exe
2005-12-01 19:36 643,608 ----a-w c:\documents and settings\Administrator\chatlnk.exe
2005-12-01 16:54 573,952 ----a-w c:\documents and settings\Administrator\370_gotomypc.exe
2003-03-31 02:00 94,784 --sh--w c:\windows\twain.dll
2005-12-02 17:30 120,320 --sh--w c:\windows\system\nahsyh32b.dll
2005-12-01 19:41 120,320 --sh--w c:\windows\system\nahsyh32b0.dll
2004-08-08 18:02 16,384 --sha-w c:\windows\system32\archibidll.dll
2004-08-04 07:56 23,425 --sha-w c:\windows\system32\cmdsame.exe
.


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EA44A26D-DDC8-46C0-AFE1-A529FE014E3F}"= "EA44A26D.dll" [BU]
"{11061894-888A-4330-B5A6-1884142C44BA}"= "c:\windows\system32\11061894.dll" [2004-08-04 55808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"11061894"= {11061894-888A-4330-B5A6-1884142C44BA} - c:\windows\system32\11061894.dll [2004-08-04 55808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=HBWOW.dll,HBJXSJ.dll,11061894.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adffgh785v.exe]
"Debugger"=c:\windows\system32\keepSafe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DrRtp.exe]
"Debugger"=c:\windows\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RStray.exe]
"Debugger"=c:\windows\system32\svchost.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T DSL Service PCA Program]
--a------ 2003-09-23 14:57 270336 c:\progra~1\AT&T\DSL\Programs\dslpca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2002-10-22 10:55 159744 c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMyPC]
--a------ 2007-01-12 17:45 249904 c:\program files\Citrix\GoToMyPC\g2svc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-03-11 05:11 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-03-11 05:24 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-01-09 16:01 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 18:44 65536 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-20 13:01 525824 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2004-12-09 18:34 3545088 c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2005-12-01 11:54 50660 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-09-26 01:19 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8710:TCP"= 8710:TCP:WWW

S4 98674B5C;98674B5C;c:\windows\system32\A0B082C.EXE -d []
S4 gshfog;gshfog;c:\windows\system32\svchost.exe -k netsvcs [2003-03-30 14336]
S4 kwg2harh;kwg2harh;c:\windows\sxfdwe4h.exe []
S4 Nationalv1119;National Instruments Domain Service;c:\windows\system32\svcdkqg.exe []
S4 nigmdp;nigmdp;c:\windows\system32\svchost.exe -k netsvcs [2003-03-30 14336]
S4 Protectedstoer4;Protected Storage Manager ;c:\windows\system32\svchost.exe -k netsvcs [2003-03-30 14336]
S4 Serchost;Serchost;c:\windows\system32\ctb3.exe []
S4 ServiceLink;Distributed Link Tracking Client Service;c:\windows\system32\msdev.exe []
S4 xxz;xxz;c:\windows\system32\xxz.exe []
S4 yanha;yanha;c:\windows\system32\yanha.exe []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nigmdp
gshfog
Protectedstoer4
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\af4ac.job
- c:\windows\Downlo~1\af4ac.dll []

2008-12-04 c:\windows\Tasks\af4b.job
- c:\windows\Downlo~1\af4b.dll []

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-nwiz - mmxaa567.exe
MSConfigStartUp-sdfdh234j - c:\windows\sxfdwe4h.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = www.6700.cn?tn=1027201
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\Cfx4FCli.dll - O16 -: {24BACF02-5676-11D3-B8DE-00105A17A9E6}
hxxp://www.schaeffersresearch.com/Download/Cfx4Financial.cab

c:\windows\system32\atl.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {460324E8-CFB4-4357-85EF-CE3EBFE23A62}
hxxps://gts.bankofamerica.com/crystalreportviewers11/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 16:59:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
nwiz = mmxaa567.exe???????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Protectedstoer4]
"ServiceDll"="c:\windows\system32\config\sam7.log"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
.
**************************************************************************
.
Completion time: 2008-12-04 17:02:23 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-12-04 22:02:20
ComboFix2.txt 2008-12-04 15:05:57
ComboFix3.txt 2008-12-03 21:20:19
ComboFix4.txt 2008-12-03 19:03:05
ComboFix5.txt 2008-12-04 21:45:37

Pre-Run: 23,164,235,776 bytes free
Post-Run: 23,119,765,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

8357

Attached Files


Edited by Buckeye_Sam, 05 December 2008 - 07:31 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:12 PM

Posted 05 December 2008 - 07:45 PM

I cleaned up the unnecessary part of your log. The next one shouldn't be near as long.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

NetSvc::
nigmdp
gshfog
Protectedstoer4

Driver::
98674B5C
gshfog
kwg2harh
Nationalv1119
nigmdp
Protectedstoer4
Serchost
ServiceLink
xxz
yanha

File::
c:\windows\Tasks\af4ac.job
c:\windows\Tasks\af4b.job
c:\windows\system32\yanha.exe
c:\windows\system32\xxz.exe
c:\windows\system32\msdev.exe
c:\windows\system32\ctb3.exe
c:\windows\system32\svcdkqg.exe
c:\windows\system32\A0B082C.EXE
c:\windows\system32\11061894.dll
c:\windows\system\nahsyh32b.dll
c:\windows\system\nahsyh32b0.dll
c:\windows\system32\archibidll.dll
c:\windows\system32\cmdsame.exe
c:\documents and settings\xiaoxi.exe
c:\windows\system32\012f
c:\documents and settings\cccc.exe
c:\windows\asdfg232g2g.ini
c:\windows\system32\EA44A26D.cfg
c:\windows\system32\SETF92.tmp
c:\windows\system32\SETF8D.tmp
c:\windows\system32\SETF8A.tmp
c:\windows\system32\SET578.tmp
c:\windows\system32\SET57E.tmp
c:\windows\005419_.tmp
c:\windows\003164_.tmp
c:\windows\system32\mmx101c0.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adffgh785v.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DrRtp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RStray.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"11061894"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EA44A26D-DDC8-46C0-AFE1-A529FE014E3F}"=-
"{11061894-888A-4330-B5A6-1884142C44BA}"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 MroseFlex

MroseFlex
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 08 December 2008 - 10:23 AM

Ok, here's the latest Combofix log. It did run with the script you sent. We're still not clean yet as the home page location continues to change back to 6700.cn. This bugger is NASTY. The powers that be here in my office are only giving me a little more time to clean this one one up before they decide that the nuke and pave method should be implemented.

Please advise to the next step after looking over the new log. thanks!


ComboFix 08-12-04.04 - Administrator 2008-12-08 10:07:25.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.292 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\cccc.exe
c:\documents and settings\xiaoxi.exe
c:\windows\003164_.tmp
c:\windows\005419_.tmp
c:\windows\asdfg232g2g.ini
c:\windows\system\nahsyh32b.dll
c:\windows\system\nahsyh32b0.dll
c:\windows\system32\012f
c:\windows\system32\11061894.dll
c:\windows\system32\A0B082C.EXE
c:\windows\system32\archibidll.dll
c:\windows\system32\cmdsame.exe
c:\windows\system32\ctb3.exe
c:\windows\system32\EA44A26D.cfg
c:\windows\system32\mmx101c0.exe
c:\windows\system32\msdev.exe
c:\windows\system32\SET578.tmp
c:\windows\system32\SET57E.tmp
c:\windows\system32\SETF8A.tmp
c:\windows\system32\SETF8D.tmp
c:\windows\system32\SETF92.tmp
c:\windows\system32\svcdkqg.exe
c:\windows\system32\xxz.exe
c:\windows\system32\yanha.exe
c:\windows\Tasks\af4ac.job
c:\windows\Tasks\af4b.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\cccc.exe
c:\documents and settings\xiaoxi.exe
c:\windows\003164_.tmp
c:\windows\005419_.tmp
c:\windows\asdfg232g2g.ini
c:\windows\system\nahsyh32b.dll
c:\windows\system\nahsyh32b0.dll
c:\windows\system32\012f
c:\windows\system32\11061894.dll
c:\windows\system32\archibidll.dll
c:\windows\system32\cmdsame.exe
c:\windows\system32\EA44A26D.cfg
c:\windows\system32\mmx101c0.exe
c:\windows\system32\SET578.tmp
c:\windows\system32\SET57E.tmp
c:\windows\system32\SETF8A.tmp
c:\windows\system32\SETF8D.tmp
c:\windows\system32\SETF92.tmp
c:\windows\Tasks\af4ac.job
c:\windows\Tasks\af4b.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_98674B5C
-------\Legacy_GSHFOG
-------\Legacy_KWG2HARH
-------\Legacy_NATIONALV1119
-------\Legacy_NIGMDP
-------\Legacy_PROTECTEDSTOER4
-------\Legacy_SERCHOST
-------\Legacy_SERVICELINK
-------\Legacy_XXZ
-------\Legacy_YANHA
-------\Service_98674B5C
-------\Service_gshfog
-------\Service_kwg2harh
-------\Service_Nationalv1119
-------\Service_nigmdp
-------\Service_Protectedstoer4
-------\Service_Serchost
-------\Service_ServiceLink
-------\Service_xxz
-------\Service_yanha


((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-04 16:17 . 2008-12-04 16:17 <DIR> d-------- C:\_OTMoveIt
2008-12-04 16:14 . 2008-12-04 15:18 349,696 --a------ C:\OTMoveIt3.exe
2008-12-04 15:39 . 2008-12-04 15:18 349,696 --a------ c:\documents and settings\Administrator\OTMoveIt3.exe
2008-12-04 15:01 . 2008-12-04 15:01 303 --a------ c:\windows\system32\MRT.INI
2008-12-04 15:00 . 2008-12-04 15:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-04 14:51 . 2008-10-03 12:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-04 14:51 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-04 14:51 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-04 14:51 . 2008-08-26 02:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-04 14:51 . 2008-08-26 02:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-04 14:51 . 2008-08-26 02:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-04 14:51 . 2008-08-26 02:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-04 14:51 . 2008-08-26 02:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-04 14:51 . 2008-08-25 03:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-04 14:41 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-04 14:41 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-04 14:40 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-04 14:40 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-04 14:40 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-04 14:40 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-04 14:40 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-04 14:40 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-04 14:40 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-12-04 14:40 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-04 14:39 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-04 14:38 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-04 14:38 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-04 14:38 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-04 12:35 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2008-12-04 12:35 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\system32\scripting
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\system32\en
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\l2schemas
2008-12-04 12:01 . 2008-04-13 23:09 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2008-12-04 12:00 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-04 10:18 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 10:18 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 10:13 . 2008-12-04 10:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 10:13 . 2008-12-04 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 16:10 . 2008-12-03 16:10 <DIR> d-------- C:\fsaua.data
2008-12-03 14:32 . 2008-12-03 14:32 <DIR> d-------- C:\_OTScanIt
2008-12-03 10:51 . 2008-12-03 10:51 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-24 21:12 . 2008-11-24 21:12 4 --a------ c:\windows\myver.ini
2008-11-24 20:56 . 2008-11-24 20:56 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2008-11-24 19:57 . 2005-11-27 13:32 19,915 --a------ c:\windows\system32\romspring.dat
2008-11-24 19:57 . 2005-12-01 14:39 247 --a------ c:\windows\system32\romarshal.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2021-05-26 05:00 65,536 --sha-r C:\grwy.exe
2008-12-01 22:31 --------- d-----w c:\program files\WinAce
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:19 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-23 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-23 14:59 --------- d-----w c:\program files\QuickTime
2008-10-23 14:59 --------- d-----w c:\program files\iPod
2008-10-23 14:59 --------- d-----w c:\program files\Bonjour
2008-10-23 14:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-23 14:58 --------- d-----w c:\program files\Common Files\Apple
2008-10-23 14:57 --------- d-----w c:\program files\Apple Software Update
2008-10-23 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-21 14:10 --------- d-----w c:\program files\Common Files\Business Objects
2008-10-21 13:28 --------- d-----w c:\program files\DIFX
2008-10-21 13:28 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2008-09-10 11:36 26,336 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-12-01 19:39 717,312 ----a-w c:\documents and settings\Administrator\gotomypc_410.exe
2005-12-01 19:39 705,536 ----a-w c:\documents and settings\Administrator\gotomypc_397.exe
2005-12-01 19:39 573,952 ----a-w c:\documents and settings\Administrator\gotomypc_370.exe
2005-12-01 19:39 3,586,200 ----a-w c:\documents and settings\Administrator\gosetup.exe
2005-12-01 19:36 643,608 ----a-w c:\documents and settings\Administrator\chatlnk.exe
2005-12-01 16:54 573,952 ----a-w c:\documents and settings\Administrator\370_gotomypc.exe
2003-03-31 02:00 94,784 --sh--w c:\windows\twain.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"nwiz"="mmxaa567.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adffgh785v.exe]
"Debugger"=c:\windows\system32\keepSafe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DrRtp.exe]
"Debugger"=c:\windows\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RStray.exe]
"Debugger"=c:\windows\system32\svchost.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T DSL Service PCA Program]
--a------ 2003-09-23 14:57 270336 c:\progra~1\AT&T\DSL\Programs\dslpca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2002-10-22 10:55 159744 c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMyPC]
--a------ 2007-01-12 17:45 249904 c:\program files\Citrix\GoToMyPC\g2svc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-03-11 05:11 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-03-11 05:24 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-01-09 16:01 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 18:44 65536 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-20 13:01 525824 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2004-12-09 18:34 3545088 c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2005-12-01 11:54 50660 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-09-26 01:19 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8710:TCP"= 8710:TCP:WWW

.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = www.6700.cn?tn=1027201
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\Cfx4FCli.dll - O16 -: {24BACF02-5676-11D3-B8DE-00105A17A9E6}
hxxp://www.schaeffersresearch.com/Download/Cfx4Financial.cab

c:\windows\system32\atl.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {460324E8-CFB4-4357-85EF-CE3EBFE23A62}
hxxps://gts.bankofamerica.com/crystalreportviewers11/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 10:11:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
nwiz = mmxaa567.exe???????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
.
**************************************************************************
.
Completion time: 2008-12-08 10:14:03 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-12-08 15:14:01
ComboFix2.txt 2008-12-04 22:02:24
ComboFix3.txt 2008-12-04 15:05:57
ComboFix4.txt 2008-12-03 21:20:19
ComboFix5.txt 2008-12-08 15:01:20

Pre-Run: 23,104,204,800 bytes free
Post-Run: 23,091,421,184 bytes free

313

Attached Files

  • Attached File  log.txt   18.53KB   23 downloads

Edited by Buckeye_Sam, 08 December 2008 - 10:33 AM.


#10 MroseFlex

MroseFlex
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 08 December 2008 - 10:30 AM

I had to kill a buncha processes to get the machine to run combofix before posting the log I posted earlier today (machine would freeze with any attempt to run combofix or even copy the script file off of a jumdrive). After a reboot, I ran combfix again and I am posting that log here as well. Mebbe it will help?


ComboFix 08-12-04.04 - Administrator 2008-12-08 10:24:49.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.205 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\cccc.exe
c:\documents and settings\xiaoxi.exe
c:\windows\003164_.tmp
c:\windows\005419_.tmp
c:\windows\asdfg232g2g.ini
c:\windows\system\nahsyh32b.dll
c:\windows\system\nahsyh32b0.dll
c:\windows\system32\012f
c:\windows\system32\11061894.dll
c:\windows\system32\A0B082C.EXE
c:\windows\system32\archibidll.dll
c:\windows\system32\cmdsame.exe
c:\windows\system32\ctb3.exe
c:\windows\system32\EA44A26D.cfg
c:\windows\system32\mmx101c0.exe
c:\windows\system32\msdev.exe
c:\windows\system32\SET578.tmp
c:\windows\system32\SET57E.tmp
c:\windows\system32\SETF8A.tmp
c:\windows\system32\SETF8D.tmp
c:\windows\system32\SETF92.tmp
c:\windows\system32\svcdkqg.exe
c:\windows\system32\xxz.exe
c:\windows\system32\yanha.exe
c:\windows\Tasks\af4ac.job
c:\windows\Tasks\af4b.job
.

((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-04 16:17 . 2008-12-04 16:17 <DIR> d-------- C:\_OTMoveIt
2008-12-04 16:14 . 2008-12-04 15:18 349,696 --a------ C:\OTMoveIt3.exe
2008-12-04 15:39 . 2008-12-04 15:18 349,696 --a------ c:\documents and settings\Administrator\OTMoveIt3.exe
2008-12-04 15:01 . 2008-12-04 15:01 303 --a------ c:\windows\system32\MRT.INI
2008-12-04 15:00 . 2008-12-04 15:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-04 14:51 . 2008-10-03 12:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-04 14:51 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-04 14:51 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-04 14:51 . 2008-08-26 02:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-04 14:51 . 2008-08-26 02:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-04 14:51 . 2008-08-26 02:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-04 14:51 . 2008-08-26 02:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-04 14:51 . 2008-08-26 02:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-04 14:51 . 2008-08-25 03:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-04 14:41 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-04 14:41 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-04 14:40 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-04 14:40 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-04 14:40 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-04 14:40 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-04 14:40 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-04 14:40 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-04 14:40 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-12-04 14:40 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-04 14:39 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-04 14:38 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-04 14:38 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-04 14:38 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-04 12:35 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2008-12-04 12:35 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\system32\scripting
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\system32\en
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\l2schemas
2008-12-04 12:01 . 2008-04-13 23:09 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2008-12-04 12:00 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-04 10:18 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 10:18 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 10:13 . 2008-12-04 10:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 10:13 . 2008-12-04 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 16:10 . 2008-12-03 16:10 <DIR> d-------- C:\fsaua.data
2008-12-03 14:32 . 2008-12-03 14:32 <DIR> d-------- C:\_OTScanIt
2008-12-03 10:51 . 2008-12-03 10:51 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-24 21:12 . 2008-11-24 21:12 4 --a------ c:\windows\myver.ini
2008-11-24 20:56 . 2008-11-24 20:56 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2008-11-24 19:57 . 2005-11-27 13:32 19,915 --a------ c:\windows\system32\romspring.dat
2008-11-24 19:57 . 2005-12-01 14:39 247 --a------ c:\windows\system32\romarshal.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2021-05-26 05:00 65,536 --sha-r C:\grwy.exe
2008-12-01 22:31 --------- d-----w c:\program files\WinAce
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:19 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-23 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-23 14:59 --------- d-----w c:\program files\QuickTime
2008-10-23 14:59 --------- d-----w c:\program files\iPod
2008-10-23 14:59 --------- d-----w c:\program files\Bonjour
2008-10-23 14:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-23 14:58 --------- d-----w c:\program files\Common Files\Apple
2008-10-23 14:57 --------- d-----w c:\program files\Apple Software Update
2008-10-23 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-21 14:10 --------- d-----w c:\program files\Common Files\Business Objects
2008-10-21 13:28 --------- d-----w c:\program files\DIFX
2008-10-21 13:28 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-30 02:27 84,992 ----a-w c:\windows\system32\lmdimon8.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 11:36 26,336 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2005-12-01 19:39 717,312 ----a-w c:\documents and settings\Administrator\gotomypc_410.exe
2005-12-01 19:39 705,536 ----a-w c:\documents and settings\Administrator\gotomypc_397.exe
2005-12-01 19:39 573,952 ----a-w c:\documents and settings\Administrator\gotomypc_370.exe
2005-12-01 19:39 3,586,200 ----a-w c:\documents and settings\Administrator\gosetup.exe
2005-12-01 19:36 643,608 ----a-w c:\documents and settings\Administrator\chatlnk.exe
2005-12-01 16:54 573,952 ----a-w c:\documents and settings\Administrator\370_gotomypc.exe
2003-03-31 02:00 94,784 --sh--w c:\windows\twain.dll
.

((((((((((((((((((((((((((((( snapshot_2008-12-04_17.01.52.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-08 15:15:35 16,384 ----atw c:\windows\temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"nwiz"="mmxaa567.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adffgh785v.exe]
"Debugger"=c:\windows\system32\keepSafe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DrRtp.exe]
"Debugger"=c:\windows\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RStray.exe]
"Debugger"=c:\windows\system32\svchost.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T DSL Service PCA Program]
--a------ 2003-09-23 14:57 270336 c:\progra~1\AT&T\DSL\Programs\dslpca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2002-10-22 10:55 159744 c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMyPC]
--a------ 2007-01-12 17:45 249904 c:\program files\Citrix\GoToMyPC\g2svc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-03-11 05:11 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-03-11 05:24 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-01-09 16:01 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 18:44 65536 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-20 13:01 525824 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2004-12-09 18:34 3545088 c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2005-12-01 11:54 50660 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-09-26 01:19 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8710:TCP"= 8710:TCP:WWW


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = www.6700.cn?tn=1027201
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\Cfx4FCli.dll - O16 -: {24BACF02-5676-11D3-B8DE-00105A17A9E6}
hxxp://www.schaeffersresearch.com/Download/Cfx4Financial.cab

c:\windows\system32\atl.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {460324E8-CFB4-4357-85EF-CE3EBFE23A62}
hxxps://gts.bankofamerica.com/crystalreportviewers11/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 10:26:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
nwiz = mmxaa567.exe???????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2008-12-08 10:27:12
ComboFix-quarantined-files.txt 2008-12-08 15:26:55
ComboFix2.txt 2008-12-08 15:14:04
ComboFix3.txt 2008-12-04 22:02:24
ComboFix4.txt 2008-12-04 15:05:57
ComboFix5.txt 2008-12-08 15:24:22

Pre-Run: 23,073,050,624 bytes free
Post-Run: 23,061,327,872 bytes free

274

Attached Files

  • Attached File  log1.txt   17.82KB   3 downloads

Edited by Buckeye_Sam, 08 December 2008 - 10:33 AM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:12 PM

Posted 08 December 2008 - 10:42 AM

Please visit the online Jotti Virus Scanner
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    c:\windows\system32\keepSafe.exe


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html



===============



1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]

mmxaa567
grwy

[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 MroseFlex

MroseFlex
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 08 December 2008 - 11:07 AM

Here is the output from Registry Safe:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 12/8/2008 11:01:42 AM for strings:
; 'mmxaa567'
; 'grwy'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"nwiz"="mmxaa567.exe"

; End Of The Log...

I attempted to run the Jotti scan on the keepsafe.exe but, the machine does not find a copy of the file in that location. Last week before I started this thread with you, I did delete a keepsafe.exe out of the system32 folder (had to go out to a command promt and use attrib to get the sucker off the machine). It does not appear that a keepsafe.exe is on the machine anywhere.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:12 PM

Posted 08 December 2008 - 11:13 AM

Ok, let's clean up a few more things that I see.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\mmxaa567.exe
c:\windows\system32\keepSafe.exe
C:\grwy.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"nwiz"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adffgh785v.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DrRtp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RStray.exe]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===============


Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 MroseFlex

MroseFlex
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 08 December 2008 - 11:38 AM

Attached is the latest combofix log and the log from gmer

ComboFix 08-12-04.04 - Administrator 2008-12-08 11:18:02.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.146 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-04 16:17 . 2008-12-04 16:17 <DIR> d-------- C:\_OTMoveIt
2008-12-04 16:14 . 2008-12-04 15:18 349,696 --a------ C:\OTMoveIt3.exe
2008-12-04 15:39 . 2008-12-04 15:18 349,696 --a------ c:\documents and settings\Administrator\OTMoveIt3.exe
2008-12-04 15:01 . 2008-12-04 15:01 303 --a------ c:\windows\system32\MRT.INI
2008-12-04 15:00 . 2008-12-04 15:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-04 14:51 . 2008-10-03 12:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-04 14:51 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-04 14:51 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-04 14:51 . 2008-08-26 02:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-04 14:51 . 2008-08-26 02:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-04 14:51 . 2008-08-26 02:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-04 14:51 . 2008-08-26 02:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-04 14:51 . 2008-08-26 02:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-04 14:51 . 2008-08-25 03:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-04 14:41 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-04 14:41 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-04 14:40 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-04 14:40 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-04 14:40 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-04 14:40 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-04 14:40 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-04 14:40 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-04 14:40 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-12-04 14:40 . 2008-08-14 05:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-12-04 14:39 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-04 14:38 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-04 14:38 . 2008-06-13 06:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-04 14:38 . 2008-05-08 09:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-04 12:35 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2008-12-04 12:35 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\system32\scripting
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\system32\en
2008-12-04 12:10 . 2008-12-04 12:40 <DIR> d-------- c:\windows\l2schemas
2008-12-04 12:01 . 2008-04-13 23:09 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2008-12-04 12:00 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\ntoskrnl.exe
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 10:18 . 2008-12-04 10:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-04 10:18 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 10:18 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 10:13 . 2008-12-04 10:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 10:13 . 2008-12-04 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 16:10 . 2008-12-03 16:10 <DIR> d-------- C:\fsaua.data
2008-12-03 14:32 . 2008-12-03 14:32 <DIR> d-------- C:\_OTScanIt
2008-12-03 10:51 . 2008-12-03 10:51 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-24 21:12 . 2008-11-24 21:12 4 --a------ c:\windows\myver.ini
2008-11-24 20:56 . 2008-11-24 20:56 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2008-11-24 19:57 . 2005-11-27 13:32 19,915 --a------ c:\windows\system32\romspring.dat
2008-11-24 19:57 . 2005-12-01 14:39 247 --a------ c:\windows\system32\romarshal.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2021-05-26 05:00 65,536 --sha-r C:\grwy.exe
2008-12-01 22:31 --------- d-----w c:\program files\WinAce
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:19 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-10-23 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-23 14:59 --------- d-----w c:\program files\QuickTime
2008-10-23 14:59 --------- d-----w c:\program files\iPod
2008-10-23 14:59 --------- d-----w c:\program files\Bonjour
2008-10-23 14:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-23 14:58 --------- d-----w c:\program files\Common Files\Apple
2008-10-23 14:57 --------- d-----w c:\program files\Apple Software Update
2008-10-23 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-21 14:10 --------- d-----w c:\program files\Common Files\Business Objects
2008-10-21 13:28 --------- d-----w c:\program files\DIFX
2008-10-21 13:28 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-30 02:27 84,992 ----a-w c:\windows\system32\lmdimon8.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 11:36 26,336 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2005-12-01 19:39 717,312 ----a-w c:\documents and settings\Administrator\gotomypc_410.exe
2005-12-01 19:39 705,536 ----a-w c:\documents and settings\Administrator\gotomypc_397.exe
2005-12-01 19:39 573,952 ----a-w c:\documents and settings\Administrator\gotomypc_370.exe
2005-12-01 19:39 3,586,200 ----a-w c:\documents and settings\Administrator\gosetup.exe
2005-12-01 19:36 643,608 ----a-w c:\documents and settings\Administrator\chatlnk.exe
2005-12-01 16:54 573,952 ----a-w c:\documents and settings\Administrator\370_gotomypc.exe
2003-03-31 02:00 94,784 --sh--w c:\windows\twain.dll
.

((((((((((((((((((((((((((((( snapshot_2008-12-04_17.01.52.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-08 15:15:35 16,384 ----atw c:\windows\temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"nwiz"="mmxaa567.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YU12"= ATIYUV12.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\adffgh785v.exe]
"Debugger"=c:\windows\system32\keepSafe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DrRtp.exe]
"Debugger"=c:\windows\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RStray.exe]
"Debugger"=c:\windows\system32\svchost.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T DSL Service PCA Program]
--a------ 2003-09-23 14:57 270336 c:\progra~1\AT&T\DSL\Programs\dslpca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2002-10-22 10:55 159744 c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMyPC]
--a------ 2007-01-12 17:45 249904 c:\program files\Citrix\GoToMyPC\g2svc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-03-11 05:11 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 09:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-03-11 05:24 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-01-09 16:01 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 18:44 65536 c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a------ 2003-11-20 13:01 525824 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2004-12-09 18:34 3545088 c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2005-12-01 11:54 50660 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-09-26 01:19 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8710:TCP"= 8710:TCP:WWW


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = www.6700.cn?tn=1027201
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\Cfx4FCli.dll - O16 -: {24BACF02-5676-11D3-B8DE-00105A17A9E6}
hxxp://www.schaeffersresearch.com/Download/Cfx4Financial.cab

c:\windows\system32\atl.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {460324E8-CFB4-4357-85EF-CE3EBFE23A62}
hxxps://gts.bankofamerica.com/crystalreportviewers11/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 11:19:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
nwiz = mmxaa567.exe???????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2008-12-08 11:20:44
ComboFix-quarantined-files.txt 2008-12-08 16:20:38
ComboFix2.txt 2008-12-08 15:27:13
ComboFix3.txt 2008-12-08 15:14:04
ComboFix4.txt 2008-12-04 22:02:24
ComboFix5.txt 2008-12-08 16:17:34

Pre-Run: 23,043,436,544 bytes free
Post-Run: 23,034,351,616 bytes free

247





GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-08 11:35:39
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF8C388AC]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF8C38812]

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwSetValueKey + 4F 805822DB 4 Bytes [ C5, F7, 24, 78 ]
PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 3BB 805822DB 4 Bytes [ C5, F7, 24, 78 ]

---- Devices - GMER 1.0.14 ----

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\swprgea \Device\rkdoor npgwyhr.sys

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE@DisableHeapLookAside 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE@DisableHeapLookAside 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE@DisableHeapLookAside 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.Exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.Exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TxoMoU.Exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE@DisableHeapLookAside 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE@DisableHeapLookAside 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XP.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path@Debugger ntsd -d
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path@GlobalFlag 0x000010F0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe@Debugger C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\system32\keepSafe.exe????!??????? ???C:\WINDOWS\system32\keepSafe.exe????Q??????? ???C:\WINDOWS\system32\keepSafe.exe???????????? ???C:\WINDOWS\syst

---- EOF - GMER 1.0.14 ----

Attached Files


Edited by Buckeye_Sam, 08 December 2008 - 11:41 AM.


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:12 PM

Posted 08 December 2008 - 11:45 AM

The step with combofix did not work. Please create the cfscript file once again and drag it to Combofix.

Please visit the online Jotti Virus Scanner
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    c:\windows\system32\drivers\npgwyhr.sys


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html

Also please copy and paste your logs directly into your post instead of attaching them. Just saves me time and makes them much easier to review.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users