Hi, I have done a separated combofix on 2 of my external hard disk . The 2 external hard disk storage are Seagate and Maxtor.
I first plugged in my Seagate Storage and the virus vamsoft.exe and kamsoft.exe all reappeared but there was no reappear of ckvo.exe in my msconfig startup list. And there was a program stall when i first started combofix but i restarted the com and everything went smooth and i unplugged my Seagate storage.
Next after the 1st Combofix is done i plugged in my Maxtor storage and I detect no virus on my msconfig startup list and i ran the Combofix and everything was smooth.
Here is the ComboFix log with my
Seagate external hard disk:
ComboFix 08-12-12.02 - William 2008-12-14 13:54:11.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.734 [GMT 8:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\William\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::
C:\6fnlpetp.exe
c:\windows\system32\vamsoft.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\6fnlpetp.exe
C:\autorun.inf
C:\e.cmd
C:\h3.bat
c:\windows\system32\gasretyw0.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\vamsoft.exe
c:\windows\system32\vbsdfe0.dll
E:\1u0o8bnq.cmd
E:\Autorun.inf
E:\e.cmd
E:\h3.bat
E:\vva0hc0p.cmd
E:\xk2n.bat
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-12 21:44 . 2008-12-12 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:03 . 2008-12-12 21:04 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-08 00:21 . 2008-12-08 00:22 69 --a------ c:\windows\NeroDigital.ini
2008-11-23 00:31 . 2008-12-13 21:45 <DIR> d-------- c:\program files\Garena
2008-11-23 00:30 . 2008-11-23 00:30 <DIR> d-------- c:\documents and settings\William\Application Data\InstallShield
2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:10 . 2008-11-19 20:10 <DIR> d-------- c:\windows\Application Data
2008-11-19 20:09 . 2003-07-21 11:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-19 20:09 . 2005-01-05 02:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-19 20:04 . 2008-11-19 20:04 <DIR> d-------- c:\program files\WIZET
2008-11-19 19:49 . 2008-11-19 19:49 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 20:17 . 2008-11-14 20:36 <DIR> d-------- c:\documents and settings\William\Application Data\Red Alert 3
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\windows\Logs
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\program files\Electronic Arts
2008-11-14 20:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-14 19:56 . 2008-11-14 19:56 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-14 19:54 . 2008-11-14 19:54 715,248 --a------ c:\windows\system32\drivers\sptd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 05:40 --------- d-----w c:\program files\Warcraft III
2008-11-22 16:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:45 108,973 --sh--r C:\sq.com
2008-11-02 08:51 2,829 ----a-w c:\windows\War3Unin.pif
2008-11-02 08:51 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-02 06:40 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 06:40 --------- d-----w c:\documents and settings\William\Application Data\Microsoft Web Folders
2008-11-02 06:05 --------- d-----w c:\documents and settings\William\Application Data\vlc
2008-11-02 06:02 --------- d-----w c:\program files\VideoLAN
2008-11-02 05:25 --------- d-----w c:\program files\MSN Messenger
2008-11-02 05:20 --------- d-----w c:\program files\Download Express
2008-11-02 05:20 --------- d-----w c:\documents and settings\William\Application Data\MetaProducts
2008-11-02 05:08 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 05:05 --------- d-----w c:\program files\Common Files\Nero
2008-11-02 05:04 --------- d-----w c:\program files\Common Files\Ahead
2008-11-02 05:04 --------- d-----w c:\program files\Ahead
2008-11-02 05:00 --------- d-----w c:\program files\Realtek
2008-11-02 04:59 14,656 ----a-w c:\windows\gdrv.sys
2008-11-02 04:59 --------- d-----w c:\program files\Marvell
2008-11-02 04:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-02 04:57 --------- d-----w c:\program files\Intel
2008-11-02 04:54 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-02 04:39 --------- d-----w c:\documents and settings\William\Application Data\ATI
2008-11-02 04:36 --------- d-----w c:\program files\ATI Technologies
2008-11-02 04:35 --------- d-----w c:\program files\Common Files\ATI Technologies
2006-08-01 03:00 22,987 --sh--r c:\documents and settings\William\taskmgr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-17 1953792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Task"="c:\docume~1\William\taskmgr.exe" [2006-08-01 22987]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-09-25 09:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-11-14 17:21 16270848 c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\William\\Desktop\\WC3 Winning Key\\lancraft.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Lancraft
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-vamsoft - c:\windows\system32\vamsoft.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.singnet.com.sg/
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\ckvx8qm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.singnet.com.sg/
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-14 13:55:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-14 13:56:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 05:56:40
ComboFix2.txt 2008-12-13 03:08:27
ComboFix3.txt 2008-12-12 15:47:15
Pre-Run: 98,719,748,096 bytes free
Post-Run: 98,726,141,952 bytes free
162
HiJackThis Log with my
Seagate external hard disk storage:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:00 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\William\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.singnet.com.sg/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
--
End of file - 2592 bytes
This is the ComboFix log with my
Maxtor external hard disk:
ComboFix 08-12-12.02 - William 2008-12-14 14:02:35.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.726 [GMT 8:00]
Running from: c:\documents and settings\William\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\William\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::
C:\6fnlpetp.exe
c:\windows\system32\vamsoft.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-12 21:44 . 2008-12-12 21:44 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 21:03 . 2008-12-12 21:04 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-08 00:21 . 2008-12-08 00:22 69 --a------ c:\windows\NeroDigital.ini
2008-11-23 00:31 . 2008-12-13 21:45 <DIR> d-------- c:\program files\Garena
2008-11-23 00:30 . 2008-11-23 00:30 <DIR> d-------- c:\documents and settings\William\Application Data\InstallShield
2008-11-20 00:45 . 2008-11-20 00:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-19 23:45 . 2008-11-19 23:45 <DIR> d-------- c:\program files\CCleaner
2008-11-19 20:10 . 2008-11-19 20:10 <DIR> d-------- c:\windows\Application Data
2008-11-19 20:09 . 2003-07-21 11:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2008-11-19 20:09 . 2005-01-05 02:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-11-19 20:04 . 2008-11-19 20:04 <DIR> d-------- c:\program files\WIZET
2008-11-19 19:49 . 2008-11-19 19:49 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-14 20:17 . 2008-11-14 20:36 <DIR> d-------- c:\documents and settings\William\Application Data\Red Alert 3
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\windows\Logs
2008-11-14 20:05 . 2008-11-14 20:05 <DIR> d-------- c:\program files\Electronic Arts
2008-11-14 20:05 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-14 20:05 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-14 20:05 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-14 19:56 . 2008-11-14 19:56 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-14 19:54 . 2008-11-14 19:54 715,248 --a------ c:\windows\system32\drivers\sptd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 05:40 --------- d-----w c:\program files\Warcraft III
2008-11-22 16:31 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:45 108,973 --sh--r C:\sq.com
2008-11-02 08:51 2,829 ----a-w c:\windows\War3Unin.pif
2008-11-02 08:51 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-02 06:40 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 06:40 --------- d-----w c:\documents and settings\William\Application Data\Microsoft Web Folders
2008-11-02 06:05 --------- d-----w c:\documents and settings\William\Application Data\vlc
2008-11-02 06:02 --------- d-----w c:\program files\VideoLAN
2008-11-02 05:25 --------- d-----w c:\program files\MSN Messenger
2008-11-02 05:20 --------- d-----w c:\program files\Download Express
2008-11-02 05:20 --------- d-----w c:\documents and settings\William\Application Data\MetaProducts
2008-11-02 05:08 --------- d-----w c:\program files\Combined Community Codec Pack
2008-11-02 05:05 --------- d-----w c:\program files\Common Files\Nero
2008-11-02 05:04 --------- d-----w c:\program files\Common Files\Ahead
2008-11-02 05:04 --------- d-----w c:\program files\Ahead
2008-11-02 05:00 --------- d-----w c:\program files\Realtek
2008-11-02 04:59 14,656 ----a-w c:\windows\gdrv.sys
2008-11-02 04:59 --------- d-----w c:\program files\Marvell
2008-11-02 04:59 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-02 04:57 --------- d-----w c:\program files\Intel
2008-11-02 04:54 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-02 04:39 --------- d-----w c:\documents and settings\William\Application Data\ATI
2008-11-02 04:36 --------- d-----w c:\program files\ATI Technologies
2008-11-02 04:35 --------- d-----w c:\program files\Common Files\ATI Technologies
2006-08-01 03:00 22,987 --sh--r c:\documents and settings\William\taskmgr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-17 1953792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Task"="c:\docume~1\William\taskmgr.exe" [2006-08-01 22987]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-09-25 09:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-11-14 17:21 16270848 c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\William\\Desktop\\WC3 Winning Key\\lancraft.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Lancraft
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.singnet.com.sg/
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
FF - ProfilePath - c:\documents and settings\William\Application Data\Mozilla\Firefox\Profiles\ckvx8qm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.singnet.com.sg/
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-14 14:04:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-14 14:05:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 06:05:00
ComboFix2.txt 2008-12-14 05:56:42
ComboFix3.txt 2008-12-13 03:08:27
ComboFix4.txt 2008-12-12 15:47:15
Pre-Run: 98,718,785,536 bytes free
Post-Run: 98,708,537,344 bytes free
144
HijackThis log with my
Maxtor external hard disk:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:44 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\William\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.singnet.com.sg/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [Task] C:\DOCUME~1\William\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
--
End of file - 2592 bytes
Plz advice on any thing there seems to be a problem on my computer and my 2 hard drives. I would like to know if there is anything to prevent an infection from copying itself to my hard disk when i plug it in if there is.
If there is anything that u wish to know of plz inform me.
Thanks once again.
Edited by iceman127, 14 December 2008 - 01:27 AM.