Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

prunnet.exe Virus/Trojan/Spyware/Malware


  • This topic is locked This topic is locked
29 replies to this topic

#1 ka2335

ka2335

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 17 December 2008 - 02:29 PM

Hi,

I am getting the following problems


- lots of pop ups
- slow computer
- comp crashes
-can’t access regedit
- nod32 and spy bot won’t update



All this starting happening since yesterday and I am pretty sure it’s caused by a virus/Trojan.

I have noticed prunnet.exe and gadcom.exe in my taskmanager. Which I have since deleted from comp.

Here is my HijackThis Log.

I would greatly appreaciate some help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:58, on 17/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Kontiki\KHost.exe
C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\winloggn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Khuram Ahmed\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\java\bin\jusched.exe
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_a.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\software\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [xsgds4fgffght] C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Khuram Ahmed\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [xsgds4fgffght] C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Software\Adobe Reader 7\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Software\MSoffice\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Software\MSoffice\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\java\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - AppInit_DLLs: xtusez.dll
O22 - SharedTaskScheduler: KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rsekd83jde.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - E:\kaspersky 8\avp.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 8415 bytes

BC AdBot (Login to Remove)

 


#2 ka2335

ka2335
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 17 December 2008 - 02:33 PM

this is the RSIT log

Logfile of random's system information tool 1.05 (written by random/random)
Run by Khuram Ahmed at 2008-12-17 19:27:08
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 2 GB (23%) free of 8 GB
Total RAM: 767 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:27:10, on 17/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Kontiki\KHost.exe
C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\winloggn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Khuram Ahmed\Desktop\RSIT.exe
C:\Documents and Settings\Khuram Ahmed\Desktop\hijack\Khuram Ahmed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBrpqnO.dll
O2 - BHO: (no name) - {8C3BAFEF-7A40-49C0-83E5-3568DEF4F907} - C:\WINDOWS\system32\geBsttqq.dll
O2 - BHO: C:\WINDOWS\system32\rsekd83jde.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rsekd83jde.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\java\bin\jusched.exe
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_a.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\software\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [xsgds4fgffght] C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Khuram Ahmed\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [xsgds4fgffght] C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Software\Adobe Reader 7\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Software\MSoffice\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Software\MSoffice\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\java\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - AppInit_DLLs: xtusez.dll
O20 - Winlogon Notify: geBrpqnO - C:\WINDOWS\SYSTEM32\geBrpqnO.dll
O22 - SharedTaskScheduler: KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rsekd83jde.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - E:\kaspersky 8\avp.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 8860 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\cpsbxmkb.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{6687611E-3944-4579-861D-EA8E6ACC75BE}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\geBrpqnO.dll [2008-12-16 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8C3BAFEF-7A40-49C0-83E5-3568DEF4F907}]
C:\WINDOWS\system32\geBsttqq.dll [2008-12-16 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF49A2-94F1-42BD-F434-3604812C807D}]
C:\WINDOWS\system32\rsekd83jde.dll - C:\WINDOWS\system32\rsekd83jde.dll [2008-12-16 15000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"P17Helper"=Rundll32 P17.dll []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"SunJavaUpdateSched"=E:\Program Files\java\bin\jusched.exe [2006-11-09 49263]
"IPAnonymizer"= []
"SystemMgr"=C:\WINDOWS\system32\Ir32_a.exe []
"PCSuiteTrayApplication"=E:\Program Files\nokia\Nokia PC Suite 6\LaunchApplication.exe [2007-03-23 227328]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-10 116040]
"QuickTime Task"=F:\software\quicktime\qttask.exe [2008-05-27 413696]
"iTunesHelper"=E:\itunes\iTunesHelper.exe [2008-07-10 289064]
"kdx"=C:\Program Files\Kontiki\KHost.exe [2007-04-23 1032640]
"prunnet"=C:\WINDOWS\system32\prunnet.exe []
"xsgds4fgffght"=C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\winloggn.exe [2008-12-16 15000]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2008-08-18 1447168]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-28 68856]
"kdx"=C:\Program Files\Kontiki\KHost.exe [2007-04-23 1032640]
"prunnet"=C:\WINDOWS\system32\prunnet.exe []
"gadcom"=C:\Documents and Settings\Khuram Ahmed\Application Data\gadcom\gadcom.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 []
"xsgds4fgffght"=C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\winloggn.exe [2008-12-16 15000]
"Jnskdfmf9eldfd"=C:\DOCUME~1\KHURAM~1\LOCALS~1\Temp\csrssc.exe [2008-12-16 22017]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows_Protect]
windows_protect.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Diskeeper"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - F:\Software\Adobe Reader 7\Reader\reader_sl.exe
Microsoft Office.lnk - F:\Software\MSoffice\Office10\OSA.EXE

C:\Documents and Settings\Khuram Ahmed\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="xtusez.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBrpqnO]
C:\WINDOWS\system32\geBrpqnO.dll [2008-12-16 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rsekd83jde.dll [2008-12-16 15000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\geBrpqnO.dll [2008-12-16 34816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\geBsttqq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\Synacast\SynaLive\PE.exe"="C:\Program Files\Common Files\Synacast\SynaLive\PE.exe:*:Enabled:SynacastPE"
"F:\Program Files\ppStream\PPStream.exe"="F:\Program Files\ppStream\PPStream.exe:*:Enabled:PPStream"
"E:\Program\PPMate\ppmate.exe"="E:\Program\PPMate\ppmate.exe:*:Enabled:PPMate"
"E:\Program\PPMate\ppmnet.exe"="E:\Program\PPMate\ppmnet.exe:*:Enabled:PPMate"
"E:\Program Files\PPLive\PPLive.exe"="E:\Program Files\PPLive\PPLive.exe:*:Enabled:PPLive"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"E:\Program Files\utorrent\utorrent.exe"="E:\Program Files\utorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\WINDOWS\kdx\KHost.exe"="C:\WINDOWS\kdx\KHost.exe:*:Enabled:Delivery Manager"
"C:\Program Files\KService\KService.exe"="C:\Program Files\KService\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\uTorrent2\uTorrent.exe"="C:\Program Files\uTorrent2\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\itunes\iTunes.exe"="E:\itunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ba71662-04d8-11da-8c6b-00308488f40d}]
shell\AutoRun\command - I:\setupSNK.exe


======File associations======

.js - open - "E:\Program Files\dreamweaver\Dreamweaver MX\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-12-17 19:27:08 ----D---- C:\rsit
2008-12-16 22:14:19 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-12-16 20:20:07 ----A---- C:\WINDOWS\system32\stu2.exe
2008-12-16 19:37:23 ----D---- C:\Documents and Settings\Khuram Ahmed\Application Data\ESET
2008-12-16 19:35:43 ----D---- C:\Program Files\ESET
2008-12-16 19:35:43 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2008-12-16 16:37:33 ----A---- C:\WINDOWS\system32\rsekd83jde.dll
2008-12-16 16:37:18 ----A---- C:\WINDOWS\system32\byXRkIYR.dll
2008-12-16 16:33:42 ----A---- C:\WINDOWS\system32\xtusez.dll
2008-12-16 16:33:42 ----A---- C:\WINDOWS\system32\tfbgotaa.dll
2008-12-16 16:31:11 ----A---- C:\WINDOWS\system32\vtUmnMdB.dll
2008-12-16 16:30:47 ----SH---- C:\WINDOWS\system32\djwqximf.ini
2008-12-16 16:30:42 ----A---- C:\WINDOWS\system32\fmixqwjd.dll
2008-12-16 16:28:37 ----A---- C:\WINDOWS\system32\qkrxomlc.dll
2008-12-16 16:28:10 ----A---- C:\WINDOWS\system32\7bbf53e4-.txt
2008-12-16 16:27:42 ----ASH---- C:\WINDOWS\system32\qqttsBeg.ini2
2008-12-16 16:27:41 ----ASH---- C:\WINDOWS\system32\qqttsBeg.ini
2008-12-16 16:27:34 ----A---- C:\WINDOWS\system32\geBsttqq.dll
2008-12-16 16:22:32 ----A---- C:\WINDOWS\system32\wvUlihfC.dll
2008-12-16 16:22:24 ----A---- C:\WINDOWS\system32\geBrpqnO.dll
2008-12-12 19:47:51 ----D---- C:\Program Files\Microsoft Silverlight
2008-11-22 21:28:22 ----D---- C:\WINDOWS\system32\Adobe

======List of files/folders modified in the last 1 months======

2008-12-17 19:26:33 ----D---- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-12-17 19:18:05 ----D---- C:\WINDOWS\Temp
2008-12-17 19:17:46 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-17 18:50:30 ----D---- C:\WINDOWS\Prefetch
2008-12-17 18:47:41 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-16 22:53:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-16 22:48:50 ----D---- C:\Program Files\Mozilla Firefox
2008-12-16 22:37:54 ----D---- C:\WINDOWS\system32
2008-12-16 22:37:49 ----D---- C:\WINDOWS\system32\drivers
2008-12-16 21:17:07 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-16 20:20:00 ----A---- C:\WINDOWS\system32\userinit.exe
2008-12-16 19:45:41 ----D---- C:\WINDOWS
2008-12-16 19:42:46 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-12-16 19:37:14 ----D---- C:\Config.Msi
2008-12-16 19:37:10 ----SHD---- C:\WINDOWS\Installer
2008-12-16 19:36:57 ----HD---- C:\WINDOWS\inf
2008-12-16 19:35:43 ----AD---- C:\Program Files
2008-12-16 17:44:53 ----D---- C:\Documents and Settings\Khuram Ahmed\Application Data\uTorrent
2008-12-16 16:55:29 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-16 16:22:37 ----SD---- C:\WINDOWS\Tasks
2008-12-03 20:48:26 ----D---- C:\Documents and Settings\Khuram Ahmed\Application Data\SopCast
2008-11-27 21:24:45 ----D---- C:\WINDOWS\Minidump
2008-11-22 21:29:52 ----D---- C:\Documents and Settings\Khuram Ahmed\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-04 37376]
R1 crdpkt;Cirond NDIS Usermode I/O Protocol; C:\WINDOWS\system32\DRIVERS\crdpkt.sys [2004-12-03 18048]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-08-18 53256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2008-08-18 54280]
R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2003-03-14 4228]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-10-07 80576]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2006-08-16 225664]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-08-18 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2008-08-18 71688]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2005-01-10 138752]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2008-08-18 30728]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntelS51;Intel® 536EP Modem; C:\WINDOWS\system32\DRIVERS\IntelS51.sys [2004-12-10 1903338]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2005-01-10 106496]
R3 P17;Creative SB Audigy LS; C:\WINDOWS\system32\drivers\P17.sys [2005-07-07 1389056]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2001-06-28 13780]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2004-08-04 12416]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys []
S3 a1wqfz3w;a1wqfz3w; C:\WINDOWS\system32\drivers\a1wqfz3w.sys []
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter; C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 140416]
S3 BW2NDIS5;BW2NDIS5; C:\WINDOWS\System32\Drivers\BW2NDIS5.sys []
S3 DSDrv4;DSDrv4; \??\F:\Software\DScaler\DSDrv4.sys []
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\system32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
S3 jnv4_mib;jnv4_mib; C:\WINDOWS\system32\drivers\jnv4_mib.sys []
S3 msgame;Sidewinder HID to Joystick Port Enabler; C:\WINDOWS\system32\DRIVERS\msgame.sys [2001-08-17 35200]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2007-02-22 137216]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2007-02-22 8320]
S3 nmwcdcm;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2007-02-22 12288]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\NSNDIS5.SYS []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-07-10 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-10 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2008-08-18 468224]
R2 Iprip;RIP Listener; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 KService;KService; C:\Program Files\Kontiki\KService.exe [2007-04-23 3068352]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\System32\tcpsvcs.exe [2001-08-18 19456]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-10 532264]
S2 AVP;Kaspersky Anti-Virus; E:\kaspersky 8\avp.exe -r []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-01-09 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2008-08-18 19200]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\System32\tcpsvcs.exe [2001-08-18 19456]
S3 p2pgasvc;Peer Networking Group Authentication; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2pimsvc;Peer Networking Identity Manager; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2psvc;Peer Networking; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 PNRPSvc;Peer Name Resolution Protocol; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 SandraDataSrv;Sandra Data Service; F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe [2005-01-29 173040]
S3 SandraTheSrv;Sandra Service; F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe [2005-01-29 1033192]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-03-26 292864]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 Diskeeper;Diskeeper; F:\Software\diskeeper\DkService.exe [2003-08-22 426098]

-----------------EOF-----------------

#3 ka2335

ka2335
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 21 December 2008 - 08:49 AM

Also i would like to add. I have no admin rights on my windows, since i got the virus. I can't view hidden files, i can't go to regedit.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 24 December 2008 - 09:50 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable ESET (NOD32):
Look beside your clock for this icon Posted Image, click it and select [img=http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/nod32_quit.png[/img]. Say OK when prompted.
(Your version may be slightly different.)

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 30 December 2008 - 07:43 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 30 December 2008 - 12:05 PM

Reopened.

#7 ka2335

ka2335
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 30 December 2008 - 01:46 PM

Hello,

Thanks for helping.

Since my last post i have managed to run updated Malwarebytes, nod32 and spybot search and destroy. These programs did remove some of the "bad stuff", but i was still getting pop ups and odd files in my running processes.

I followed the first post on the following link to do the above http://www.techspot.com/vb/topic116603.html


I have run combofix. It restarted after deleting alot of bad files. But the log only contains the following?!

ComboFix 08-12-29.02 - Khuram Ahmed 2008-12-30 17:31:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.406 [GMT 0:00]
Running from: C:\Documents and Settings\Khuram Ahmed\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
FW: Kaspersky Anti-Virus *disabled*
.



new Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52, on 2008-12-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
E:\itunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Software\Adobe Reader 7\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Khuram Ahmed\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\java\bin\jusched.exe
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_a.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\software\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZoneAlarm\zapro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] E:\Program Files\nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Software\Adobe Reader 7\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Software\MSoffice\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Software\MSoffice\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\java\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - E:\kaspersky 8\avp.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7677 bytes

#8 ka2335

ka2335
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 30 December 2008 - 01:50 PM

btw i do online banking from my computer. Do you think my passwords have been compromised?

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 30 December 2008 - 04:39 PM

Hello.

i do online banking from my computer. Do you think my passwords have been compromised?

There is a good chance. From the logs given, there was a backdoor infection.

Yes, ComboFix's log should be larger than that. Check C:\ComboFix.txt and see if that log is larger or the same.

If it's the same one, please double click ComboFix and let it run again.

From what I see in the HJT log, there may still be an infection present.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

With Regards,
The Panda

#10 ka2335

ka2335
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 31 December 2008 - 11:51 AM

i will carry out your instructions in a few days as i am going away for 3 days to my Mums.

Thank you very much for your help so far :thumbsup:

Khuram Ahmed

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 31 December 2008 - 11:56 AM

That's fine with me :thumbsup: .

The Panda

#12 ka2335

ka2335
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 03 January 2009 - 10:24 AM

combo fix log

ComboFix 09-01-01.02 - Khuram Ahmed 2009-01-03 14:15:52.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.397 [GMT 0:00]
Running from: c:\documents and settings\Khuram Ahmed\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\resycled
D:\Autorun.inf
D:\resycled
E:\Autorun.inf
E:\resycled
F:\Autorun.inf
F:\resycled
H:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NETDOWN
-------\Legacy_SECONDARY_LOGON_(SECLOGON)_
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-24 23:15 . 2008-12-30 17:36 <DIR> d-------- c:\program files\tintinyproxyy
2008-12-24 23:04 . 2008-12-24 23:30 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 22:22 . 2008-12-24 22:22 <DIR> d-------- c:\documents and settings\Khuram Ahmed\Application Data\Malwarebytes
2008-12-24 22:22 . 2008-12-24 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 22:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 22:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-21 20:21 . 2008-12-21 20:21 <DIR> d-------- c:\documents and settings\Administrator
2008-12-21 14:15 . 2008-12-21 14:15 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-12-21 14:15 . 2008-12-21 18:56 330 --ah----- c:\windows\system32\vsconfig.xml
2008-12-17 19:27 . 2008-12-17 19:27 <DIR> d-------- C:\rsit
2008-12-16 20:20 . 2004-08-04 07:56 24,576 --a------ c:\windows\system32\stu2.exe
2008-12-16 19:37 . 2008-12-16 19:37 <DIR> d-------- c:\documents and settings\Khuram Ahmed\Application Data\ESET
2008-12-16 19:35 . 2008-12-16 19:35 <DIR> d-------- c:\program files\ESET
2008-12-16 19:35 . 2008-12-16 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-12 19:47 . 2008-12-12 19:47 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-12-24 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 19:42 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-16 18:18 5,764 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-16 18:18 450,592 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-16 18:18 21,724 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-16 18:18 2,240,032 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-16 17:44 --------- d-----w c:\documents and settings\Khuram Ahmed\Application Data\uTorrent
2008-12-03 20:48 --------- d-----w c:\documents and settings\Khuram Ahmed\Application Data\SopCast
2007-08-09 10:09 18,312 ----a-w c:\documents and settings\Khuram Ahmed\Application Data\GDIPFONTCACHEV1.DAT
2006-11-15 08:30 64,000 ----a-w c:\documents and settings\Khuram Ahmed\Key.exe
2000-06-05 17:47 32,768 ----a-w c:\program files\mozilla firefox\plugins\AppSub32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="e:\program files\java\bin\jusched.exe" [2006-11-09 49263]
"PCSuiteTrayApplication"="e:\program files\nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="f:\software\quicktime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="e:\itunes\iTunesHelper.exe" [2008-07-10 289064]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"Zone Labs Client"="e:\progra~1\ZoneAlarm\zapro.exe" [2003-08-21 422992]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"Nokia.PCSync"="e:\program files\nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Khuram Ahmed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\software\Adobe Reader 7\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - f:\software\MSoffice\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xtusez.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= e:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.avis"= ff_acm.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Diskeeper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program\\PPMate\\ppmate.exe"=
"e:\\Program\\PPMate\\ppmnet.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent2\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\itunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"34233:TCP"= 34233:TCP:ppLive
"43768:UDP"= 43768:UDP:ppLive
"5293:TCP"= 5293:TCP:ppLive
"5817:UDP"= 5817:UDP:ppLive
"5138:TCP"= 5138:TCP:ppLive
"3421:UDP"= 3421:UDP:ppLive
"3876:TCP"= 3876:TCP:ppLive
"4755:UDP"= 4755:UDP:ppLive

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 xmasbus;xmasbus;c:\windows\system32\DRIVERS\xmasbus.sys [2005-01-08 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\Drivers\xmasscsi.sys [2005-01-08 5504]
R1 crdpkt;Cirond NDIS Usermode I/O Protocol;c:\windows\system32\DRIVERS\crdpkt.sys [2004-12-03 18048]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2008-08-18 468224]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-09-22 140416]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys []
S3 jnv4_mib;jnv4_mib; []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com c:
\Shell\Open\command - c:\resycled\boot.com c:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
\Shell\Open\command - d:\resycled\boot.com d:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com e:
\Shell\Open\command - e:\resycled\boot.com e:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - f:\resycled\boot.com f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ba71662-04d8-11da-8c6b-00308488f40d}]
\Shell\AutoRun\command - I:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\User_Feed_Synchronization-{6687611E-3944-4579-861D-EA8E6ACC75BE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SystemMgr - c:\windows\system32\Ir32_a.exe
HKLM-Run-IPAnonymizer - (no file)
MSConfigStartUp-Windows_Protect - windows_protect.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
IE: E&xport to Microsoft Excel - f:\software\MSoffice\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
LSP: f:\program files\NetLimiter\nl_lsp.dll
Trusted Zone: memberservices.tesco.net
Trusted Zone: register.tesco.net
FF - ProfilePath - c:\documents and settings\Khuram Ahmed\Application Data\Mozilla\Firefox\Profiles\jgox7yz2.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 9090
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: e:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\java\bin\NPJava11.dll
FF - plugin: e:\program files\java\bin\NPJava12.dll
FF - plugin: e:\program files\java\bin\NPJava13.dll
FF - plugin: e:\program files\java\bin\NPJava14.dll
FF - plugin: e:\program files\java\bin\NPJava32.dll
FF - plugin: e:\program files\java\bin\NPJPI150_10.dll
FF - plugin: e:\program files\java\bin\NPOJI610.dll
FF - plugin: f:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: f:\program files\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: f:\software\Adobe Reader 7\Reader\browser\nppdf32.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin2.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 14:20:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(784)
f:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-03 14:22:31 - machine was rebooted [Khuram Ahmed]
ComboFix-quarantined-files.txt 2009-01-03 14:21:50

Pre-Run: 1,648,545,792 bytes free
Post-Run: 1,599,897,600 bytes free

230


gmer log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-03 15:21:28
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF76780B0]
SSDT sptd.sys ZwEnumerateKey [0xF767D84E]
SSDT sptd.sys ZwEnumerateValueKey [0xF767DBEE]
SSDT kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ZwOpenFile [0xF6F36080]
SSDT sptd.sys ZwOpenKey [0xF7678090]
SSDT sptd.sys ZwQueryKey [0xF767DCC6]
SSDT sptd.sys ZwQueryValueKey [0xF767DB46]
SSDT sptd.sys ZwSetValueKey [0xF767DD58]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F5C5D62C 5 Bytes JMP 838F18C0
? System32\Drivers\ab5qpckd.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1504] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 4 Bytes [ C2, 04, 00, 00 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F768C480] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F768C42C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76A6AB8] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F768BA9A] sptd.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F6F531C0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6F52DB0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F6F52C30] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6F65DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[TDI.SYS!TdiRegisterDeviceObject] [F6F65DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisRegisterProtocol] [F6F52C30] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisDeregisterProtocol] [F6F53390] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisCloseAdapter] [F6F531C0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisOpenAdapter] [F6F52DB0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6F65DF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\ws2ifsl.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\ip6fw.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F6F53390] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F6F52C30] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F6F52DB0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F6F531C0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F6F52C30] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F6F53390] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F6F531C0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6F52DB0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [F6F65D40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 83BD31D8
Device \FileSystem\Fastfat \FatCdrom 82E234F8
Device \FileSystem\Fastfat \FatCdrom 838AA274

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBPDO-0 838BC980
Device \Driver\usbuhci \Device\USBPDO-1 838BC980
Device \Driver\usbuhci \Device\USBPDO-2 838BC980
Device \Driver\usbehci \Device\USBPDO-3 838111D8
Device \Driver\00000049 \Device\00000061 sptd.sys

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\prodrv06 \Device\ProDrv06 E1B3D768
Device \Driver\Ftdisk \Device\HarddiskVolume1 83BD51D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 83BD51D8
Device \Driver\Cdrom \Device\CdRom0 83885120
Device \FileSystem\Rdbss \Device\FsWrap 8390E374
Device \Driver\Ftdisk \Device\HarddiskVolume3 83BD51D8
Device \Driver\Cdrom \Device\CdRom1 83885120
Device \Driver\atapi \Device\Ide\IdePort0 834DE8E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 834DE8E0
Device \Driver\atapi \Device\Ide\IdePort1 834DE8E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 834DE8E0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 834DE8E0
Device \Driver\Ftdisk \Device\HarddiskVolume4 83BD51D8
Device \Driver\USBSTOR \Device\00000081 82E701D8
Device \Driver\USBSTOR \Device\00000081 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000082 82E701D8
Device \Driver\USBSTOR \Device\00000082 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E1655600
Device \Driver\NetBT \Device\NetBt_Wins_Export 82F0E1D8
Device \Driver\NetBT \Device\NetbiosSmb 82F0E1D8
Device \FileSystem\Srv \Device\LanmanServer 82BE021C

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBFDO-0 838BC980
Device \Driver\usbuhci \Device\USBFDO-1 838BC980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82EE71D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 838B797C
Device \Driver\usbuhci \Device\USBFDO-2 838BC980
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82EE71D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 838B797C
Device \Driver\usbehci \Device\USBFDO-3 838111D8
Device \FileSystem\Npfs \Device\NamedPipe 83A512CC
Device \Driver\Ftdisk \Device\FtControl 83BD51D8
Device \FileSystem\Msfs \Device\Mailslot 83742B14
Device \Driver\ab5qpckd \Device\Scsi\ab5qpckd1 834E7AE8
Device \Driver\xmasscsi \Device\Scsi\xmasscsi1 82BB3F00
Device \Driver\ab5qpckd \Device\Scsi\ab5qpckd1Port2Path0Target0Lun0 834E7AE8
Device \Driver\xmasscsi \Device\Scsi\xmasscsi1Port3Path0Target0Lun0 82BB3F00
Device \FileSystem\Fastfat \Fat 82E234F8
Device \FileSystem\Fastfat \Fat 838AA274
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8374492C
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8374492C
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8374492C
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8374492C
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8374492C
Device \FileSystem\Cdfs \Cdfs 82E4B1D8
Device \FileSystem\Cdfs \Cdfs 8382CBD4

---- Modules - GMER 1.0.14 ----

Module _________ F75C6000-F75DE000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 547382813
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1917226769
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0x42 0x5F 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x33 0x24 0x02 0xF6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0x62 0x03 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0x42 0x5F 0x71 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x33 0x24 0x02 0xF6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x64 0x62 0x03 0x00 ...

---- EOF - GMER 1.0.14 ----

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 03 January 2009 - 12:01 PM

Hello.

Looks like ComboFix didn't finish it's routine the first time.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/187332/prunnetexe-virustrojanspywaremalware/
    
    Suspect::
    c:\windows\system32\stu2.exe
    
    Folder::
    c:\program files\tintinyproxyy
    c:\resycled
    d:\resycled
    e:\resycled
    f:\resycled
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Upload Samples Collected by ComboFix
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
Please remind me in your next reply that you submitted a sample.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Re-enable your protection at this time.

Please post back with:
-the ComboFix log
-the MalwareBytes scan log
-a new HijackThis log

Any symptoms of infection now?

With Regards,
The Panda

#14 ka2335

ka2335
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 03 January 2009 - 02:40 PM

hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39:31, on 03/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Rundll32.exe
E:\itunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Khuram Ahmed\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\java\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\software\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZoneAlarm\zapro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] E:\Program Files\nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Software\Adobe Reader 7\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Software\MSoffice\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Software\MSoffice\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\java\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - E:\kaspersky 8\avp.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - F:\Software\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7696 bytes


malwarebytes log

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 2

03/01/2009 19:38:21
mbam-log-2009-01-03 (19-38-15).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 187157
Time elapsed: 46 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 ka2335

ka2335
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 03 January 2009 - 02:46 PM

I ran CF with script but first time it didn't submit the files.
Second time it submitted the files.

I will attach both logs

I dont seem to be having any problems now. However i realised that CF couldn't submit files first time, because the internet wasn't working on my infected pc.
I looked in the settings for both IE and Mozilla and the settings had been changed to go through a proxy?!! I have since changed them back to normal.


log 1

ComboFix 09-01-01.02 - Khuram Ahmed 2009-01-03 18:16:54.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.398 [GMT 0:00]
Running from: c:\documents and settings\Khuram Ahmed\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Khuram Ahmed\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\tintinyproxyy

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NETDOWN
-------\Legacy_SECONDARY_LOGON_(SECLOGON)_
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-03 14:31 . 2009-01-03 15:08 345 --a------ c:\windows\gmer.ini
2008-12-24 23:04 . 2009-01-03 18:16 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 22:22 . 2008-12-24 22:22 <DIR> d-------- c:\documents and settings\Khuram Ahmed\Application Data\Malwarebytes
2008-12-24 22:22 . 2008-12-24 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 22:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 22:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-21 20:21 . 2008-12-21 20:21 <DIR> d-------- c:\documents and settings\Administrator
2008-12-21 14:15 . 2008-12-21 14:15 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-12-21 14:15 . 2008-12-21 18:56 330 --ah----- c:\windows\system32\vsconfig.xml
2008-12-17 19:27 . 2008-12-17 19:27 <DIR> d-------- C:\rsit
2008-12-16 20:20 . 2004-08-04 07:56 24,576 --a------ c:\windows\system32\stu2.exe
2008-12-16 19:37 . 2008-12-16 19:37 <DIR> d-------- c:\documents and settings\Khuram Ahmed\Application Data\ESET
2008-12-16 19:35 . 2008-12-16 19:35 <DIR> d-------- c:\program files\ESET
2008-12-16 19:35 . 2008-12-16 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-12 19:47 . 2008-12-12 19:47 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:18 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-12-24 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 22:25 134,656 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-12-24 22:24 359,936 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-22 22:00 382,976 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-12-22 22:00 2,693,632 ----a-w c:\windows\Internet Logs\xDBA.tmp
2008-12-21 19:23 70,144 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-12-21 19:23 13,312 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-12-21 19:10 416,768 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-12-21 19:10 106,496 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-12-21 14:35 46,592 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-12-21 14:35 227,328 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-12-21 14:22 233,984 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-12-21 14:22 17,408 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-12-16 19:42 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-16 18:18 5,764 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-16 18:18 450,592 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-16 18:18 21,724 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-16 18:18 2,240,032 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-16 17:44 --------- d-----w c:\documents and settings\Khuram Ahmed\Application Data\uTorrent
2008-12-03 20:48 --------- d-----w c:\documents and settings\Khuram Ahmed\Application Data\SopCast
2007-08-09 10:09 18,312 ----a-w c:\documents and settings\Khuram Ahmed\Application Data\GDIPFONTCACHEV1.DAT
2006-11-15 08:30 64,000 ----a-w c:\documents and settings\Khuram Ahmed\Key.exe
2000-06-05 17:47 32,768 ----a-w c:\program files\mozilla firefox\plugins\AppSub32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-03_14.20.52.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-03 14:30:59 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 21:13:00 811,008 ----a-w c:\windows\gmer.exe
+ 2009-01-03 14:30:59 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-01-03 18:19:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_65c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="e:\program files\java\bin\jusched.exe" [2006-11-09 49263]
"PCSuiteTrayApplication"="e:\program files\nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="f:\software\quicktime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="e:\itunes\iTunesHelper.exe" [2008-07-10 289064]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"Zone Labs Client"="e:\progra~1\ZoneAlarm\zapro.exe" [2003-08-21 422992]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"Nokia.PCSync"="e:\program files\nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Khuram Ahmed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\software\Adobe Reader 7\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - f:\software\MSoffice\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= e:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Diskeeper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program\\PPMate\\ppmate.exe"=
"e:\\Program\\PPMate\\ppmnet.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent2\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\itunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"34233:TCP"= 34233:TCP:ppLive
"43768:UDP"= 43768:UDP:ppLive
"5293:TCP"= 5293:TCP:ppLive
"5817:UDP"= 5817:UDP:ppLive
"5138:TCP"= 5138:TCP:ppLive
"3421:UDP"= 3421:UDP:ppLive
"3876:TCP"= 3876:TCP:ppLive
"4755:UDP"= 4755:UDP:ppLive

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 xmasbus;xmasbus;c:\windows\system32\DRIVERS\xmasbus.sys [2005-01-08 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\Drivers\xmasscsi.sys [2005-01-08 5504]
R1 crdpkt;Cirond NDIS Usermode I/O Protocol;c:\windows\system32\DRIVERS\crdpkt.sys [2004-12-03 18048]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2008-08-18 468224]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-09-22 140416]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys []
S3 jnv4_mib;jnv4_mib; []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ba71662-04d8-11da-8c6b-00308488f40d}]
\Shell\AutoRun\command - I:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\User_Feed_Synchronization-{6687611E-3944-4579-861D-EA8E6ACC75BE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
IE: E&xport to Microsoft Excel - f:\software\MSoffice\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
LSP: f:\program files\NetLimiter\nl_lsp.dll
Trusted Zone: memberservices.tesco.net
Trusted Zone: register.tesco.net
FF - ProfilePath - c:\documents and settings\Khuram Ahmed\Application Data\Mozilla\Firefox\Profiles\jgox7yz2.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 9090
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: e:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\java\bin\NPJava11.dll
FF - plugin: e:\program files\java\bin\NPJava12.dll
FF - plugin: e:\program files\java\bin\NPJava13.dll
FF - plugin: e:\program files\java\bin\NPJava14.dll
FF - plugin: e:\program files\java\bin\NPJava32.dll
FF - plugin: e:\program files\java\bin\NPJPI150_10.dll
FF - plugin: e:\program files\java\bin\NPOJI610.dll
FF - plugin: f:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: f:\program files\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: f:\software\Adobe Reader 7\Reader\browser\nppdf32.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin2.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 18:20:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(784)
f:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-03 18:22:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 18:22:16
ComboFix2.txt 2009-01-03 14:22:33

Pre-Run: 1,607,151,616 bytes free
Post-Run: 1,595,850,752 bytes free

222



log 2


ComboFix 09-01-01.02 - Khuram Ahmed 2009-01-03 18:32:02.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.351 [GMT 0:00]
Running from: c:\documents and settings\Khuram Ahmed\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Khuram Ahmed\Desktop\cfscript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-03 14:31 . 2009-01-03 15:08 345 --a------ c:\windows\gmer.ini
2008-12-24 23:04 . 2009-01-03 18:16 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 22:22 . 2008-12-24 22:22 <DIR> d-------- c:\documents and settings\Khuram Ahmed\Application Data\Malwarebytes
2008-12-24 22:22 . 2008-12-24 22:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 22:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 22:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-21 20:21 . 2008-12-21 20:21 <DIR> d-------- c:\documents and settings\Administrator
2008-12-21 14:15 . 2008-12-21 14:15 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-12-21 14:15 . 2008-12-21 18:56 330 --ah----- c:\windows\system32\vsconfig.xml
2008-12-17 19:27 . 2008-12-17 19:27 <DIR> d-------- C:\rsit
2008-12-16 20:20 . 2004-08-04 07:56 24,576 --a------ c:\windows\system32\stu2.exe
2008-12-16 19:37 . 2008-12-16 19:37 <DIR> d-------- c:\documents and settings\Khuram Ahmed\Application Data\ESET
2008-12-16 19:35 . 2008-12-16 19:35 <DIR> d-------- c:\program files\ESET
2008-12-16 19:35 . 2008-12-16 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-12 19:47 . 2008-12-12 19:47 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 18:32 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-12-24 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 22:25 134,656 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-12-24 22:24 359,936 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-22 22:00 382,976 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-12-22 22:00 2,693,632 ----a-w c:\windows\Internet Logs\xDBA.tmp
2008-12-21 19:23 70,144 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-12-21 19:23 13,312 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-12-21 19:10 416,768 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-12-21 19:10 106,496 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-12-21 14:35 46,592 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-12-21 14:35 227,328 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-12-21 14:22 233,984 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-12-21 14:22 17,408 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-12-16 19:42 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-16 18:18 5,764 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-16 18:18 450,592 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-16 18:18 21,724 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-16 18:18 2,240,032 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-16 17:44 --------- d-----w c:\documents and settings\Khuram Ahmed\Application Data\uTorrent
2008-12-03 20:48 --------- d-----w c:\documents and settings\Khuram Ahmed\Application Data\SopCast
2007-08-09 10:09 18,312 ----a-w c:\documents and settings\Khuram Ahmed\Application Data\GDIPFONTCACHEV1.DAT
2006-11-15 08:30 64,000 ----a-w c:\documents and settings\Khuram Ahmed\Key.exe
2000-06-05 17:47 32,768 ----a-w c:\program files\mozilla firefox\plugins\AppSub32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-03_14.20.52.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-03 14:30:59 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 21:13:00 811,008 ----a-w c:\windows\gmer.exe
+ 2009-01-03 14:30:59 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-01-03 18:19:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_65c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="e:\program files\java\bin\jusched.exe" [2006-11-09 49263]
"PCSuiteTrayApplication"="e:\program files\nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="f:\software\quicktime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="e:\itunes\iTunesHelper.exe" [2008-07-10 289064]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"Zone Labs Client"="e:\progra~1\ZoneAlarm\zapro.exe" [2003-08-21 422992]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"Nokia.PCSync"="e:\program files\nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Khuram Ahmed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - f:\software\Adobe Reader 7\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - f:\software\MSoffice\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= e:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Diskeeper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program\\PPMate\\ppmate.exe"=
"e:\\Program\\PPMate\\ppmnet.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent2\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\itunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"34233:TCP"= 34233:TCP:ppLive
"43768:UDP"= 43768:UDP:ppLive
"5293:TCP"= 5293:TCP:ppLive
"5817:UDP"= 5817:UDP:ppLive
"5138:TCP"= 5138:TCP:ppLive
"3421:UDP"= 3421:UDP:ppLive
"3876:TCP"= 3876:TCP:ppLive
"4755:UDP"= 4755:UDP:ppLive

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 xmasbus;xmasbus;c:\windows\system32\DRIVERS\xmasbus.sys [2005-01-08 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\Drivers\xmasscsi.sys [2005-01-08 5504]
R1 crdpkt;Cirond NDIS Usermode I/O Protocol;c:\windows\system32\DRIVERS\crdpkt.sys [2004-12-03 18048]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2008-08-18 468224]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\DRIVERS\rt2500usb.sys [2005-09-22 140416]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys []
S3 jnv4_mib;jnv4_mib; []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ba71662-04d8-11da-8c6b-00308488f40d}]
\Shell\AutoRun\command - I:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\User_Feed_Synchronization-{6687611E-3944-4579-861D-EA8E6ACC75BE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
IE: E&xport to Microsoft Excel - f:\software\MSoffice\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
LSP: f:\program files\NetLimiter\nl_lsp.dll
Trusted Zone: memberservices.tesco.net
Trusted Zone: register.tesco.net
FF - ProfilePath - c:\documents and settings\Khuram Ahmed\Application Data\Mozilla\Firefox\Profiles\jgox7yz2.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - plugin: e:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\java\bin\NPJava11.dll
FF - plugin: e:\program files\java\bin\NPJava12.dll
FF - plugin: e:\program files\java\bin\NPJava13.dll
FF - plugin: e:\program files\java\bin\NPJava14.dll
FF - plugin: e:\program files\java\bin\NPJava32.dll
FF - plugin: e:\program files\java\bin\NPJPI150_10.dll
FF - plugin: e:\program files\java\bin\NPOJI610.dll
FF - plugin: f:\program files\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: f:\program files\Real Alternative\browser\plugins\nprpjplug.dll
FF - plugin: f:\software\Adobe Reader 7\Reader\browser\nppdf32.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin2.dll
FF - plugin: f:\software\quicktime\Plugins\npqtplugin3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 18:33:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(784)
f:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll
.
Completion time: 2009-01-03 18:34:40
ComboFix-quarantined-files.txt 2009-01-03 18:34:04
ComboFix2.txt 2009-01-03 18:22:57
ComboFix3.txt 2009-01-03 14:22:33

Pre-Run: 1,576,607,744 bytes free
Post-Run: 1,563,549,696 bytes free

198




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users