Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP ANALYZE ComboFix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 vulcanite

vulcanite

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 12 May 2009 - 01:50 PM

ComboFix 09-05-11.08 - Franky 05/12/2009 23:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1448 [GMT 5.5:30]
Running from: c:\documents and settings\Franky\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Franky\Application Data\inst.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\gxvxcutkduxfmqxoyiduyvyxumltithfqkjlh.sys
c:\windows\system32\gxvxcatjwnmetcklypbwcvwtwkbgikmbklrsu.dll
c:\windows\system32\gxvxccounter
c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4a.dll
c:\windows\system32\system\msxml4r.dll
D:\Autorun.inf
d:\recycler\S-1-5-97-100029508-100000995-100009767-6051.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Legacy_TDSSSERV
-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-08 15:12 . 2009-05-08 15:12 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-05 17:37 . 2009-05-05 17:37 -------- d-----w c:\program files\Handmark
2009-04-23 22:24 . 2009-04-24 11:08 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-23 21:06 . 2009-04-23 21:06 -------- d-----w c:\program files\Windows Defender
2009-04-22 12:01 . 2009-04-22 12:01 -------- d-----w c:\documents and settings\Administrator\Application Data\Intel
2009-04-22 12:01 . 2009-04-22 12:01 -------- d-----w c:\documents and settings\LocalService\Application Data\Intel
2009-04-22 12:01 . 2009-04-22 12:01 -------- d-----w c:\documents and settings\NetworkService\Application Data\Intel
2009-04-22 11:57 . 2009-04-22 11:57 -------- d-----w c:\documents and settings\All Users\Application Data\Intel
2009-04-22 11:56 . 2009-04-22 11:56 -------- d-----w c:\documents and settings\Franky\Application Data\Intel
2009-04-20 21:48 . 2009-04-20 21:48 -------- d-----w c:\documents and settings\Franky\Application Data\SkynetResearchDCP.449F66ACC381FDC604DC2AA255FEECEEBBBEE1E5.1
2009-04-20 21:48 . 2009-04-20 21:48 -------- d-----w c:\program files\Skynet Research DCP
2009-04-17 19:52 . 2009-05-10 16:54 355584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-04-17 19:52 . 2008-05-29 03:58 28416 ----a-w c:\windows\system32\uxtuneup.dll
2009-04-14 15:23 . 2009-04-14 15:25 -------- d-----w c:\documents and settings\All Users\Application Data\Smith Micro
2009-04-14 15:23 . 2009-04-14 15:23 -------- d-----w c:\program files\Smith Micro
2009-04-14 15:23 . 2009-04-14 15:30 -------- d-----w c:\documents and settings\Franky\Local Settings\Application Data\smith micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-12 15:14 . 2007-01-13 09:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-10 16:57 . 2006-10-12 15:32 57624 ----a-w c:\documents and settings\Franky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 16:55 . 2008-10-09 14:25 -------- d-----w c:\program files\Extensis
2009-05-10 16:54 . 2008-02-28 10:22 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-05-05 21:25 . 2006-09-28 14:57 27934 ----a-w c:\windows\system32\nvModes.dat
2009-05-05 16:21 . 2008-06-17 19:54 -------- d-----w c:\program files\Firefox 3
2009-05-05 16:16 . 2008-07-04 14:46 -------- d-----w c:\program files\Microsoft.NET
2009-04-24 11:08 . 2007-04-01 14:59 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-23 22:05 . 2008-09-25 08:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 21:54 . 2009-02-03 16:44 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-23 21:53 . 2009-01-25 08:30 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-22 12:01 . 2007-08-14 06:38 -------- d-----w c:\program files\Common Files\Intel
2009-04-22 12:01 . 2006-09-28 15:11 -------- d-----w c:\program files\Intel
2009-04-22 11:58 . 2007-09-22 17:54 356352 ----a-w c:\windows\system32\AegisI5Installer.exe
2009-04-17 17:59 . 2007-10-28 06:53 -------- d-----w c:\program files\McAfee
2009-04-06 10:02 . 2008-09-25 08:20 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 10:02 . 2008-09-25 08:20 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 23:03 . 2009-04-03 23:03 -------- d-----w c:\program files\Hexacto Games
2009-04-03 17:38 . 2007-05-20 10:42 -------- d-----w c:\program files\Bonjour
2009-04-03 17:36 . 2009-04-02 06:48 -------- d-----w c:\program files\Norton Security Scan
2009-03-30 17:56 . 2009-03-30 17:56 -------- d-----w c:\program files\Ateksoft
2009-03-30 16:14 . 2009-03-30 16:14 -------- d-----w c:\program files\Microsoft Device Emulator
2009-03-30 15:17 . 2009-03-30 15:17 -------- d-----w c:\program files\Megaupload
2009-03-30 15:17 . 2006-09-28 15:11 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-30 15:06 . 2009-03-30 15:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-30 15:06 . 2006-09-28 15:07 -------- d-----w c:\program files\Java
2009-03-30 13:25 . 2009-01-29 16:09 -------- d-----w c:\program files\Resco
2009-03-30 12:51 . 2006-10-31 06:25 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-28 20:32 . 2006-10-13 09:31 -------- d-----w c:\program files\DivX
2009-03-28 20:32 . 2009-03-28 20:32 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-25 21:16 . 2009-03-25 21:16 -------- d-----w c:\program files\ZIO
2009-03-25 05:36 . 2007-10-28 06:54 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 05:36 . 2007-10-28 06:54 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 05:36 . 2007-10-28 06:54 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 05:36 . 2007-10-28 06:54 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 05:35 . 2007-10-28 06:54 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-09 13:32 . 2007-11-01 08:00 154688 ---ha-w c:\windows\system32\mlfcache.dat
2009-03-06 16:31 . 2009-03-06 16:31 47360 ----a-w c:\documents and settings\Franky\Application Data\pcouffin.sys
2009-03-06 16:31 . 2006-10-13 09:35 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-04 17:31 . 2009-02-11 13:01 4202496 ----a-w c:\windows\system32\drivers\NETw5x32.sys
2009-02-27 15:13 . 2008-04-24 18:03 2696616 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-27 14:27 . 2008-04-07 16:50 0 ----a-w c:\documents and settings\Franky\Application Data\CopyToGo.dat
2009-02-27 01:59 . 2009-02-27 01:59 204800 ----a-w c:\windows\system32\NetProvCredMan.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
2007-11-12 21:14 . 2007-11-12 21:14 110592 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-05-03 05:03 . 2008-05-01 22:00 24 --sh--w c:\windows\S2A25436B.tmp
2006-11-05 13:42 . 2006-11-05 13:41 56 --sha-r c:\windows\system32\037551233B.sys
2006-11-05 13:42 . 2006-11-05 13:41 2098 --sha-w c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2006-01-09 18:02 662016 DDE9597A3311748C1519444E2BC147BD c:\windows\$hf_mig$\KB912945\SP2QFE\wininet.dll
[-] 2006-01-09 18:08 658432 D9E3F8440D208698B3F0E5CFAC26DAA1 c:\windows\$NtUninstallKB912945$\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-09-14 08:31 664576 D207370287CF769AEBEBF03837784963 c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-10-23 15:34 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$NtUninstallKB931768$\wininet.dll
[-] 2007-02-20 09:52 665600 B258C922D22DEEC880B60720531D7627 c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2007-04-18 12:46 665600 4261BA03AFD659DE04F0A17DFBDD454D c:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2007-08-22 12:55 665600 A1BC17EB3758D73C3938B2318820F5B4 c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2007-12-07 00:44 666112 085A7C37F9C6EDE1BA870B7DBEC06399 c:\windows\$NtUninstallKB947864$\wininet.dll
[7] 2007-11-30 18:56 666112 E7F441CDE6E418BB68FC700872C004A0 c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\system32\wininet.dll
[-] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-11-30 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Franky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-21 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-02-20 1191936]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-06 122940]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-23 516440]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-02-22 86016]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-06-28 1355042]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Suitcase 11.0.lnk - c:\windows\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe [2009-5-10 9062]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-03-26 12:48 21840 ----a-w c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk
backup=c:\windows\pss\Suitcase Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Franky^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Franky\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Franky^Start Menu^Programs^Startup^Jajah Phone Buddy.lnk]
path=c:\documents and settings\Franky\Start Menu\Programs\Startup\Jajah Phone Buddy.lnk
backup=c:\windows\pss\Jajah Phone Buddy.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Franky^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=c:\documents and settings\Franky\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"Google Update"="c:\documents and settings\Franky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\JustVoip.com\\JustVoip\\JustVoip.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Franky\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Franky\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Jeyo\\JMC_WindowsMobile\\JMC_WM.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Franky\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/25/2009 14:00 64160]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [1/12/2006 19:57 13696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/19/2009 03:04 953168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/29/2008 02:13 210216]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt 2009\ArcNameService.exe [12/19/2008 09:28 199000]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 19:19 13592]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [1/29/2009 23:32 42304]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [1/12/2006 19:59 13568]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [6/7/2007 22:46 18944]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [1/29/2009 23:32 9040]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [1/29/2009 23:32 19392]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [4/23/2007 20:58 10752]
S3 USB_RNDIS_51;USB Remote NDIS Device Driver;c:\windows\system32\drivers\usb8023.sys [8/10/2004 10:21 12800]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40930de3-21c7-11de-bfb0-0015c53d75ef}]
\Shell\AutoRun\command - i:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
\Shell\open\command - i:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{441c663a-4dc3-11dd-bd87-00085c5cfeb9}]
\Shell\AutoRun\command - SSVICHOSST.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{630bf130-a014-11dd-be7c-0015c53d75ef}]
\Shell\AutoRun\command - h:\system\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - h:\system\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - h:\system\DriveGuard\DriveProtect.exe -run 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b415e75-9f2c-11dc-bbf9-101111111111}]
\Shell\AutoRun\command - f:\.\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85c70fc6-be13-11dc-bc39-0015c53d75ef}]
\Shell\AutoRun\command - E:\install.EXE id= ver=1.0.0.0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9489ad4c-6b4d-11dd-bde4-0015c53d75ef}]
\Shell\AutoRun\command - h:\autorun\AutoStart.exe
\Shell\Explore\Command - h:\autorun\AutoStart.exe
\Shell\Open\Command - h:\autorun\AutoStart.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 03:39]

2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:51]

2009-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3823019223-373788724-2089997084-1006.job
- c:\documents and settings\Franky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:16]

2009-04-14 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-10-28 05:23]

2009-03-31 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-10-28 05:23]

2009-05-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 13:50]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{6BB63D88-1867-4FA4-ACDC-0510AE4956E4} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
uInternet Settings,ProxyServer = 192.168.1.1:3128
uInternet Settings,ProxyOverride = localhost, 127.0.0.1;*.local;<local>
uSearchURL,(Default) = hxxp://in.search.yahoo.com/search?fr=mcafee&p=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3424.31/TSWeb.cab
FF - ProfilePath - c:\documents and settings\Franky\Application Data\Mozilla\Firefox\Profiles\rvrjdpd9.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Franky\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Firefox 3\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Firefox 3\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppl3260.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nprjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-12 23:59
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1472)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3992)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\documents and settings\Franky\Local Settings\Application Data\Microsoft\Live Mesh\Bin\WLCShell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Dell\QuickSet\dadkeyb.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\imapi.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\RAXCO\PerfectDisk\PDAgent.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\Intel\WiFi\bin\WLKEEPER.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\WISPTIS.EXE
c:\docume~1\Franky\LOCALS~1\temp\clclean.0001
c:\progra~1\MICROS~4\rapimgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Extensis\Extensis Suitcase 11\Suitcase.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-05-12 0:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-12 18:35

Pre-Run: 2,303,377,408 bytes free
Post-Run: 2,191,880,192 bytes free

375 --- E O F --- 2009-04-15 09:59

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:11 AM

Posted 26 May 2009 - 12:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:11 AM

Posted 30 May 2009 - 05:15 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users