Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was Infected With Beagle, Still got issues.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Levelup

Levelup

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 19 February 2009 - 10:21 PM

hi guys,
Got infected with beagle. as most of you know beagle disables some of Antivirus,Firewalls,etc software(also did disable my hijackthis,its a new one)
have ran combofix a few times and mbam.
managed to reinstall Nod32 and get to work and update , but it wont let run/uninstall Zonealarm Claming the exe file or either running or uninstalling isnt win32 compat.

Posted is the latest log i've made. I know it might be tricky cause i had nod32 running , but I guess its just something ill have to deal with(gotten too tierd of uninstall and reinstalling nod32 :S )

Thanks in advance,

Roy


ComboFix 09-02-18.01 - Royh 2009-02-20 0:19:57.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.3070.2793 [GMT 2:00]
Running from: c:\documents and settings\Royh\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Royh\Desktop\Roy\Tools\opensource and freeware softwares for almost all windows versions XP SP2 VISTA 2007 [14FEB07] valentine release\Cleaning and Tweaking\O&O Defrag 2000 Freeware\O&O Defrag 2000 Freeware\Desktop_.ini . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-18 23:41 . 2008-02-14 18:27 715,992 -ra------ c:\windows\system32\drivers\cfosspeed.sys
2009-02-18 23:41 . 2008-02-14 18:27 285,912 --a------ c:\windows\system32\cfosspeed.dll
2009-02-18 00:24 . 2009-02-20 00:22 <DIR> d-------- c:\documents and settings\Royh\Tracing
2009-02-18 00:16 . 2009-02-18 00:16 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-18 00:16 . 2009-02-18 00:16 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-02-18 00:16 . 2009-02-06 18:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-02-18 00:15 . 2009-02-18 00:15 <DIR> d-------- c:\program files\Microsoft Sync Framework
2009-02-18 00:12 . 2009-02-18 00:16 <DIR> d-------- c:\program files\Microsoft
2009-02-18 00:11 . 2009-02-18 00:11 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-17 23:39 . 2009-02-17 23:39 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-17 23:11 . 2009-02-17 23:11 <DIR> d-------- c:\program files\NOS
2009-02-17 23:11 . 2009-02-17 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-17 22:52 . 2009-02-17 22:52 <DIR> d-------- c:\program files\Boson Software
2009-02-17 22:52 . 2009-02-17 22:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Boson Software
2009-02-17 17:01 . 2009-02-17 17:01 512,096 --a------ c:\windows\system32\drivers\amon.sys
2009-02-17 17:01 . 2009-02-17 17:01 298,104 --a------ c:\windows\system32\imon.dll
2009-02-17 17:01 . 2009-02-17 17:01 15,424 --a------ c:\windows\system32\drivers\nod32drv.sys
2009-02-17 15:48 . 2009-02-17 15:48 338 --a------ c:\windows\system32\SEC.lnk
2009-02-17 15:47 . 2009-02-17 17:51 <DIR> d-------- C:\sec
2009-02-17 15:33 . 2009-02-17 15:33 <DIR> d-------- C:\~ErdUserProfile.$$$
2009-02-17 15:07 . 2009-02-17 15:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 15:07 . 2009-02-17 15:07 <DIR> d-------- c:\documents and settings\Royh\Application Data\Malwarebytes
2009-02-17 15:07 . 2009-02-17 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 15:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 15:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-17 14:41 . 2009-02-17 14:45 <DIR> d-------- c:\documents and settings\Royh\.housecall6.6
2009-02-17 03:15 . 2008-04-14 05:42 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-02-17 03:15 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2009-02-17 03:15 . 2008-04-14 13:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2009-02-17 03:15 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2009-02-17 03:15 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-02-17 03:15 . 2008-04-13 22:04 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2009-02-17 03:15 . 2008-04-14 05:42 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-02-17 03:15 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2009-02-17 03:15 . 2008-04-13 22:04 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2009-02-17 03:15 . 2008-04-14 05:42 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-02-17 03:15 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2009-02-17 03:13 . 2008-04-14 05:41 571,392 --a--c--- c:\windows\system32\dllcache\tintlgnt.ime
2009-02-17 03:12 . 2008-04-14 05:42 456,192 --a--c--- c:\windows\system32\dllcache\smtpsvc.dll
2009-02-17 03:11 . 2008-04-13 23:53 404,990 --a--c--- c:\windows\system32\dllcache\slntamr.sys
2009-02-17 03:10 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2009-02-17 03:09 . 2008-04-14 05:41 482,304 --a--c--- c:\windows\system32\dllcache\pintlgnt.ime
2009-02-17 03:08 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2009-02-17 03:07 . 2008-04-14 13:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-02-17 03:06 . 2008-04-14 13:00 1,158,818 --a--c--- c:\windows\system32\dllcache\korwbrkr.lex
2009-02-17 03:05 . 2008-04-14 05:39 811,064 --a--c--- c:\windows\system32\dllcache\imjp81k.dll
2009-02-17 03:04 . 2008-04-14 05:39 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-02-17 03:03 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2009-02-17 03:02 . 2001-08-17 12:17 629,952 --a--c--- c:\windows\system32\dllcache\eqn.sys
2009-02-17 03:01 . 2001-08-17 13:28 634,134 --a--c--- c:\windows\system32\dllcache\el656ct5.sys
2009-02-17 03:00 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2009-02-17 02:59 . 2001-08-17 22:36 256,512 --a--c--- c:\windows\system32\dllcache\devcon32.dll
2009-02-17 02:58 . 2008-04-14 13:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll
2009-02-17 02:57 . 2001-08-17 13:28 714,698 --a--c--- c:\windows\system32\dllcache\cbmdmkxx.sys
2009-02-17 02:56 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2009-02-17 02:55 . 2008-04-14 05:41 1,888,992 --a--c--- c:\windows\system32\dllcache\ati3duag.dll
2009-02-17 02:54 . 2001-08-17 12:19 747,392 --a--c--- c:\windows\system32\dllcache\adm8830.sys
2009-02-17 02:53 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2009-02-16 14:11 . 2009-02-16 14:20 <DIR> d-------- C:\I386
2009-02-16 02:59 . 2009-02-17 16:09 <DIR> d-------- c:\documents and settings\Royh\Application Data\drivers
2009-02-13 10:06 . 2009-02-13 10:06 <DIR> d--h----- c:\windows\PIF
2009-02-13 02:48 . 2009-02-13 02:48 <DIR> d-------- c:\program files\Smallvideosoft
2009-02-13 02:48 . 2009-02-13 02:52 <DIR> d-------- C:\Mp3 Output
2009-02-13 02:48 . 2007-03-01 04:18 4,762,112 --a------ c:\windows\system32\NCMedia.dll
2009-02-13 02:48 . 2007-02-25 15:36 383,238 --a------ c:\windows\system32\libmp3lame-0.dll
2009-02-12 01:08 . 2009-02-12 01:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-11 02:18 . 2009-02-11 02:18 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-02-11 02:18 . 2009-02-11 02:18 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-02-11 02:18 . 2009-02-11 02:18 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-11 02:18 . 2009-02-11 02:18 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-11 02:11 . 2009-02-12 10:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-11 00:25 . 2009-02-11 00:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\U3
2009-02-10 18:39 . 2009-02-10 18:39 <DIR> d-------- c:\program files\AviSynth 2.5
2009-02-10 18:39 . 2004-02-22 10:11 719,872 --a------ c:\windows\system32\devil.dll
2009-02-10 18:39 . 2007-05-17 17:30 318,976 --a------ c:\windows\system32\avisynth.dll
2009-02-10 18:39 . 2004-01-25 00:00 70,656 --a------ c:\windows\system32\i420vfw.dll
2009-02-10 18:38 . 2005-02-13 01:00 186,880 -r-hs---- c:\windows\system32\RLOgg.ax
2009-02-10 18:38 . 2005-01-18 01:26 179,200 -r-hs---- c:\windows\system32\DiracSplitter.ax
2009-02-10 18:38 . 2006-08-16 16:53 175,104 -r-hs---- c:\windows\system32\CoreAAC.ax
2009-02-10 18:38 . 2005-02-06 01:00 92,672 -r-hs---- c:\windows\system32\RLVorbisDec.ax
2009-02-10 18:38 . 2005-02-22 18:55 81,920 -r-hs---- c:\windows\system32\aac_parser.ax
2009-02-10 18:38 . 2005-02-13 01:00 67,584 -r-hs---- c:\windows\system32\RLTheoraDec.ax
2009-02-10 18:38 . 2005-02-13 01:00 51,712 -r-hs---- c:\windows\system32\RLSpeexDec.ax
2009-02-09 00:19 . 2009-02-09 00:19 <DIR> d-------- c:\program files\7-Zip
2009-02-08 23:15 . 2009-02-17 16:59 <DIR> d-------- c:\program files\Passware
2009-02-07 16:38 . 2009-02-07 16:48 <DIR> d-------- c:\program files\Turbocert
2009-02-07 16:38 . 2003-04-16 01:10 110,592 --------- c:\windows\system32\tsccvid.dll
2009-02-06 19:03 . 2009-02-06 19:03 307,576 --a------ c:\windows\WLXPGSS.SCR
2009-02-06 18:52 . 2009-02-06 18:52 49,504 --a------ c:\windows\system32\sirenacm.dll
2009-02-04 23:14 . 2009-02-04 23:14 <DIR> d-------- C:\RkUnhooker
2009-02-04 01:21 . 2009-02-04 01:21 302 --a------ c:\program files\temp995.bat
2009-01-31 18:42 . 2008-04-14 00:26 30,592 --a------ c:\windows\system32\drivers\rndismpx.sys
2009-01-31 18:42 . 2008-04-14 00:26 30,592 --a--c--- c:\windows\system32\dllcache\rndismpx.sys
2009-01-31 18:42 . 2008-04-14 00:26 12,800 --a------ c:\windows\system32\drivers\usb8023x.sys
2009-01-31 18:42 . 2008-04-14 00:26 12,800 --a--c--- c:\windows\system32\dllcache\usb8023x.sys
2009-01-31 18:32 . 2009-01-31 18:32 <DIR> d-------- c:\program files\Windows Mobile Device Handbook
2009-01-31 18:32 . 2009-02-03 21:59 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-01-30 02:54 . 2009-02-04 00:35 <DIR> d-------- c:\documents and settings\Royh\Application Data\Lavasoft
2009-01-28 00:53 . 2009-01-28 00:53 25,992 --a------ c:\windows\system32\pgdfgsvc.exe
2009-01-27 23:02 . 2008-04-14 00:15 26,112 --a------ c:\windows\system32\drivers\usbser.sys
2009-01-27 23:02 . 2008-04-14 00:15 26,112 --a--c--- c:\windows\system32\dllcache\usbser.sys
2009-01-27 23:02 . 2009-01-27 23:02 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-27 23:02 . 2009-01-27 23:02 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-01-27 23:01 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2009-01-27 23:00 . 2009-01-27 23:00 <DIR> d-------- c:\program files\PC Connectivity Solution
2009-01-27 23:00 . 2009-01-27 23:00 <DIR> d-------- c:\program files\Common Files\PCSuite
2009-01-27 23:00 . 2009-01-27 23:00 <DIR> d-------- c:\program files\Common Files\Nokia
2009-01-27 23:00 . 2009-01-27 23:02 <DIR> d-------- c:\documents and settings\Royh\Application Data\PC Suite
2009-01-27 23:00 . 2009-01-27 23:02 <DIR> d-------- c:\documents and settings\Royh\Application Data\Nokia
2009-01-27 23:00 . 2009-01-27 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2009-01-27 23:00 . 2008-08-26 09:26 18,816 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2009-01-27 22:59 . 2009-01-27 23:00 <DIR> d-------- c:\program files\Nokia
2009-01-27 22:59 . 2008-09-15 07:29 1,112,288 --a------ c:\windows\system32\wdfcoinstaller01007.dll
2009-01-27 22:59 . 2008-09-15 07:56 659,968 --a------ c:\windows\system32\nmwcdcocls.dll
2009-01-27 22:59 . 2008-09-15 07:56 91,136 --a------ c:\windows\system32\nmwcdcls.dll
2009-01-27 22:59 . 2008-09-15 07:56 22,016 --a------ c:\windows\system32\drivers\ccdcmbo.sys
2009-01-27 22:59 . 2008-09-15 07:56 17,664 --a------ c:\windows\system32\drivers\ccdcmb.sys
2009-01-27 22:59 . 2008-09-15 07:56 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-01-27 22:59 . 2008-09-15 07:56 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys
2009-01-27 22:58 . 2009-01-27 22:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2009-01-27 22:51 . 2009-01-27 22:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-27 22:51 . 2008-05-16 12:33 120,744 --a------ c:\windows\system32\drivers\s0016mdm.sys
2009-01-27 22:51 . 2008-05-16 12:33 115,752 --a------ c:\windows\system32\drivers\s0016unic.sys
2009-01-27 22:51 . 2008-05-16 12:33 114,216 --a------ c:\windows\system32\drivers\s0016mgmt.sys
2009-01-27 22:51 . 2008-05-16 12:33 110,632 --a------ c:\windows\system32\drivers\s0016obex.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 22:23 --------- d-----w c:\documents and settings\Royh\Application Data\uTorrent
2009-02-19 22:23 --------- d-----w c:\documents and settings\Royh\Application Data\Skype
2009-02-19 22:22 --------- d-----w c:\program files\cFosSpeed
2009-02-19 22:06 --------- d-----w c:\program files\LogMeIn
2009-02-19 22:04 --------- d-----w c:\documents and settings\Royh\Application Data\skypePM
2009-02-19 14:23 --------- d-----w c:\documents and settings\Royh\Application Data\VMware
2009-02-19 12:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-18 21:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-18 04:30 --------- d-----w c:\documents and settings\Royh\Application Data\TeraCopy
2009-02-18 03:11 --------- d-----w c:\program files\ESET
2009-02-17 22:16 --------- d-----w c:\program files\Windows Live
2009-02-17 20:53 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-17 14:54 --------- d-----w c:\program files\PDF VIEWER
2009-02-17 14:50 --------- d-----w c:\documents and settings\Royh\Application Data\Desktopicon
2009-02-16 09:53 --------- d-----w c:\documents and settings\Royh\Application Data\Dropbox
2009-02-16 09:53 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-02-16 09:53 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-02-14 21:20 --------- d-----w c:\documents and settings\Royh\Application Data\U3
2009-02-14 02:22 --------- d-----w c:\program files\Google
2009-02-09 23:10 --------- d-----w c:\program files\WinPcap
2009-02-03 22:47 --------- d-----w c:\program files\CubeDesktop
2009-01-27 21:00 --------- d-----w c:\program files\DIFX
2009-01-24 18:26 --------- d-----w c:\program files\uTorrent
2009-01-17 16:42 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-01-17 16:31 --------- d-----w c:\program files\pdf995
2009-01-17 16:12 --------- d-----w c:\program files\Halftone Search for Google Desktop
2009-01-16 14:45 --------- d-----w c:\program files\Sun
2009-01-11 21:54 --------- d-----w c:\documents and settings\Royh\Application Data\Thinking Minds Budiling Bytes
2009-01-09 18:34 --------- d-----w c:\program files\RocketDock
2009-01-09 13:13 --------- d-----w c:\documents and settings\Royh\Application Data\Babylon
2009-01-09 13:11 --------- d-----w c:\program files\TopDesk
2009-01-09 13:11 --------- d-----w c:\documents and settings\Royh\Application Data\OtakuSoftware
2009-01-09 12:26 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-04 20:56 --------- d-----w c:\program files\AutoHotkey
2009-01-03 20:12 --------- d-----w c:\program files\RivaTuner v2.01
2009-01-02 12:59 --------- d-----w c:\documents and settings\Royh\Application Data\vlc
2008-12-24 20:53 --------- d-----w c:\program files\Dropbox
2008-12-23 16:27 --------- d-----w c:\program files\Train Signal
2008-12-23 11:39 --------- d-----w c:\program files\VideoLAN
2008-11-10 10:18 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-02-19_ 0.03.29.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-17 12:53:47 212,510 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-19 22:22:30 212,500 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-19 22:23:00 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 09:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-03 267056]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Innerpass"="c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe" [2009-02-19 249856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-17 13529088]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-17 949376]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"KMCONFIG"="c:\program files\Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-10 30192]
"Alt-Tab Thingy"="c:\program files\Alt-Tab Thingy v3\attmain.exe" [2007-03-15 109568]
"cFosSpeed"="c:\program files\cFosSpeed\cFosSpeed.exe" [2008-02-14 863448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\H:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Royh^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Royh\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
--a------ 2008-10-13 01:47 2655272 c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 23:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-17 02:31 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-17 02:31 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-12-03 12:47 1205760 c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2006-04-10 09:19 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2006-05-01 04:07 843776 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-02-16 15:42 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TopDesk]
--a------ 2007-06-20 10:21 1912832 c:\program files\TopDesk\topdesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2009-02-17 15:39 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2008-10-03 22:27 267056 c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-17 02:31 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"VMAuthdService"=2 (0x2)
"usnjsvc"=3 (0x3)
"ufad-ws60"=3 (0x3)
"ServiceLayer"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1c98e4a77bab57e"=2 (0x2)
"GoogleDesktopManager-092308-165331"=3 (0x3)
"FolderSize"=2 (0x2)
"cFosSpeedS"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Program Files\\Acronis\\TrueImageEchoEnterpriseServer\\TrueImage.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:web
"3898:TCP"= 3898:TCP:MSTSC

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-17 15424]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-01-16 100368]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-01-16 41680]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-02-18 55152]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Keyboard & Mouse Driver\KMWDSrv.exe [2007-04-05 208896]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-20 47640]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-09-18 54960]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-01-16 81360]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2009-01-03 4224]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\documents and settings\Royh\Desktop\Roy\Tools\165 Standalone Programs for Windows XP\PROGRAMS\SystemTools\Everest\EverestUltimate\kerneld.wnt [2008-10-20 7168]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-17 33752]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-01-27 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-01-27 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-01-27 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-01-27 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-01-27 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-01-27 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-01-27 115752]
S4 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-11-10 30192]
S4 gupdate1c98e4a77bab57e;Google Update Service (gupdate1c98e4a77bab57e);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddc73791-e730-11dd-88d4-001bfc0164df}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\BackupFox.job
- c:\documents and settings\Royh\Desktop\Roy\FireFox Backup\BackupFox.exe [2005-03-21 14:14]

2009-01-26 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1227681559.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2009-02-19 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 04:17]
.
.
------- Supplementary Scan -------
.
mWindow Title =
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {927ED435-8F65-4E85-AF6F-9E0470CD1846} = 4.2.2.1,192.115.106.35,192.115.106.10,192.115.106.11,62.219.186.11,4.2.2.2,4.2.2.3
FF - ProfilePath - c:\documents and settings\Royh\Application Data\Mozilla\Firefox\Profiles\2zfg3gbd.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
FF - component: c:\documents and settings\Royh\Application Data\Mozilla\Firefox\Profiles\2zfg3gbd.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Royh\Application Data\Mozilla\Firefox\Profiles\2zfg3gbd.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 00:23:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EverestDriver]
"ImagePath"="\??\c:\documents and settings\Royh\Desktop\Roy\Tools\165 Standalone Programs for Windows XP\PROGRAMS\SystemTools\Everest\EverestUltimate\kerneld.wnt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-436374069-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{56578E94-2B8B-B089-E596-62C168023DC8}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haacnbmcejcicoii"=hex:6e,62,6c,63,6d,6b,6e,70,64,66,64,63,64,66,6f,68,6b,64,
61,61,62,6c,6c,64,67,65,62,6a,67,6d,70,69,63,67,68,69,61,6f,6c,64,67,67,69,\
"jaacnbmcejcicoiijoen"=hex:66,61,6c,63,67,68,6b,66,61,63,62,62,00,00
"paidafojklcddefmbmgadploiobaapid"=hex:65,61,6c,63,66,68,61,67,68,66,00,62

[HKEY_USERS\S-1-5-21-299502267-436374069-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:6b,95,2c,c8,41,7f,e3,80,22,c2,79,fe,4f,a5,06,dd,46,bb,2e,2b,05,
0c,9e,10,29,8d,97,5f,c3,a0,4e,83,85,d1,e3,36,f7,5b,6b,0d,5c,8c,cf,04,f8,8f,\
"rkeysecu"=hex:bd,c5,a3,d6,c3,9c,a3,8e,b9,a1,1e,b7,af,b4,4b,41
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(532)
c:\windows\system32\relog_ap.dll
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Keyboard & Mouse Driver\KMCONFIG.exe
c:\program files\Keyboard & Mouse Driver\KMProcess.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\cFosSpeed\spd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-20 0:24:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-19 22:24:44
ComboFix2.txt 2009-02-19 21:31:50
ComboFix3.txt 2009-02-18 22:04:06
ComboFix4.txt 2009-02-17 17:25:10
ComboFix5.txt 2009-02-19 22:19:50

Pre-Run: 17,767,227,392 bytes free
Post-Run: 14,530,506,752 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=,1,2,3
436 --- E O F --- 2009-02-10 23:17:05

BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:48 AM

Posted 21 February 2009 - 12:23 PM

Hi,

Welcome to BleepingComputer HijackThis Logs and Malware Removal,Levelup. :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.
In the meantime, please refrain from making any changes to your computer, and please do in the following:

Step1
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please post back:

1.RSIT log.txt and info.txt. Thanks

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:48 AM

Posted 27 February 2009 - 05:28 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users