Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Autorun Worm infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 obscurant1st

obscurant1st

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 03 September 2009 - 03:19 PM

All the files keeps coming back after removal.

Combo Fix log

ComboFix 09-09-02.02 - Analyst 09/03/2009 22:57.1.2 - NTFSx86Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.626 [GMT 5.5:30]Running from: c:\documents and settings\Analyst\Desktop\ComboFix.exeAV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).c:\program files\alexa toolbarc:\program files\alexa toolbar\uninstall.exec:\program files\Fast Browser Searchc:\program files\Fast Browser Search\FBStoolbar.dllc:\program files\Fast Browser Search\fbstoolbar.manifestc:\program files\Fast Browser Search\IE\1.batc:\program files\Fast Browser Search\IE\BHO.dllc:\program files\Fast Browser Search\IE\ClearRecycleBin.exec:\program files\Fast Browser Search\IE\FBSPlugin.dllc:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exec:\program files\Fast Browser Search\IE\SearchGuardPlus.icoc:\program files\Fast Browser Search\IE\SGPU.icoc:\program files\Fast Browser Search\IE\sgpUpdater.exec:\program files\Fast Browser Search\IE\SGPUpdaterS.exec:\program files\Fast Browser Search\IE\tbhelper.dllc:\program files\Fast Browser Search\IE\uninstall.exec:\program files\Fast Browser Search\IE\uninstalSGP.exec:\program files\Fast Browser Search\IE\uninstalSGPU.exec:\program files\Fast Browser Search\IE\update.exec:\program files\Fast Browser Search\SearchGuardPlus.exec:\program files\SGPSAc:\program files\SGPSA\BHasdaO.dllc:\windows\Downloaded Program Files\JjedvMTDtPyqp9ZTrgw.Ttfc:\windows\Fonts\2knxWtVjbWXmUdGG.Ttfc:\windows\Fonts\A97CRaCB.fonc:\windows\Fonts\cD9KArZZUHxCqnyM.Ttfc:\windows\Fonts\cFDPmh3MDPjcHMPd.Ttfc:\windows\Fonts\CRp3uYCmcxMp3qQn9.Ttfc:\windows\Fonts\eCgMhGRkPUcdutd0.Ttfc:\windows\Fonts\eSEWZRdrSK3NeEJVy4.Ttfc:\windows\Fonts\FTQ3Xu3wZEZsJ358S.Ttfc:\windows\Fonts\G8qZ5hBX7H.Ttfc:\windows\Fonts\GanWM9z57VChEAfV.Ttfc:\windows\Fonts\HXxfduw9KeQTCeP6Z.Ttfc:\windows\Fonts\MhaUKGazkr3fZZKp.Ttfc:\windows\Fonts\Qq3qg7RGSp9raxWW.Ttfc:\windows\Fonts\RCZbVbjCY6wYszD3.Ttfc:\windows\Fonts\S8a8cnEuaydPJGg8.Ttfc:\windows\Fonts\usMywhxbgf5N8e9u6.Ttfc:\windows\Fonts\vztr58qstaca8y8j.Ttfc:\windows\Fonts\WD7eC3pJvgmYQYNwrVP.Ttfc:\windows\Fonts\WFsARAucm7DAuX8.Ttfc:\windows\Fonts\Wt2KuAXTXmrRUbAq.Ttfc:\windows\Fonts\yGMHUAj5Npydj8FZ.Ttfc:\windows\Fonts\YywxhF7TSnkktrJw.Ttfc:\windows\Installer\49db6.msic:\windows\Installer\c442.msic:\windows\regedit.comc:\windows\system32\08223B03.dllc:\windows\system32\122B901E.dllc:\windows\system32\2EF0D734.dllc:\windows\system32\2exJW3dsaTgWrf5uAPadmHN.dllc:\windows\system32\6to4.dllc:\windows\system32\704C3595.dllc:\windows\system32\Am274u6Rqq2cTzTpjCGKy.infc:\windows\system32\BMsg6pdMD4ht.dllc:\windows\system32\BtmBAnd89jc9PsPq5EKNj.infc:\windows\system32\CDuAUVkGy9.dllc:\windows\system32\cRsAQd4hw.dllc:\windows\system32\CRZfQurd2g58gXVgHSDbNhU.infc:\windows\system32\dfc8ac3ed7da.dllc:\windows\system32\dhDhwS7fFW.dllc:\windows\system32\dllcache\systembox.bakc:\windows\system32\drivers\pcidump.sysc:\windows\system32\drivers\WmiSvc.sysc:\windows\system32\e863f72a04b6(2).dllc:\windows\system32\e863f72a04b6(3).dllc:\windows\system32\e863f72a04b6(4).dllc:\windows\system32\e863f72a04b6(5).dllc:\windows\system32\e863f72a04b6(6).dllc:\windows\system32\e863f72a04b6(7).dllc:\windows\system32\e863f72a04b6.dllc:\windows\system32\ed78ab9.dllc:\windows\system32\emHnPuBAaF7XjuXBbdxSg.dllc:\windows\system32\eNyN5X48HrtXc.dllc:\windows\system32\eYNMAnskCCBQCc8Jp.dllc:\windows\system32\fRWSJda7RbSuR3jFSmMBy.infc:\windows\system32\Ias.dc:\windows\system32\kFDDTTA2NjqgtbCWBxS.infc:\windows\system32\killdll.dllc:\windows\system32\ndxq9awMc.dllc:\windows\system32\PERrGx5DkqSbQdwauCRQH.dllc:\windows\system32\pj83ZgsqjcWUNwjrRp42tFw.dllc:\windows\system32\Q9q2MHJ3uTBErM7wc.infc:\windows\system32\rfpz9wwyy2np.dllc:\windows\system32\S9UQCTA4tnRSJhfxC7Vfj.infc:\windows\system32\SCEVFJRCmaB7.dllc:\windows\system32\sDV2mGwkejdKa74QJzsjw.infc:\windows\system32\skcfujQ5EDN.dllc:\windows\system32\SrNRKs5F7Rkv9hp.infc:\windows\system32\X5T4kV8DNmMbdRXAUx82K.infc:\windows\system32\Y4npJWJNr.dllc:\windows\system32\YceNTvut.inic:\recycler\S-1-5-21-1292428093-179605362-725345543-1003 . . . . failed to deleteInfected copy of c:\windows\system32\comres.dll was found and disinfected Restored copy from - c:\windows\system32\comres.dl Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\system volume information\_restore{6AAE5527-48AA-4C74-871F-49DAFFD3A38D}\RP440\A0291309.exe .(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_6TO4-------\Legacy_WINDOWNDNS-------\Legacy_WMISVC-------\Service_6to4-------\Service_WmiSvc(((((((((((((((((((((((((   Files Created from 2009-08-03 to 2009-09-03  ))))))))))))))))))))))))))))))).2009-09-03 04:00 . 2009-09-03 04:00	--------	d-----w-	c:\documents and settings\Analyst\Local Settings\Application Data\Xenocode2009-09-03 03:58 . 2009-09-03 05:17	--------	d-----w-	c:\program files\Common Files\Akamai2009-09-03 03:58 . 2009-09-03 05:49	--------	d-----w-	c:\program files\Kuma Games2009-09-03 02:49 . 2009-09-03 02:49	--------	d-----w-	c:\documents and settings\Analyst\Local Settings\Application Data\AVG Security Toolbar2009-09-03 00:02 . 2009-09-03 00:02	--------	d-----w-	c:\program files\WZCBDL Service2009-09-03 00:01 . 2009-09-03 00:01	--------	d-----w-	c:\program files\NIOC Service2009-09-02 23:02 . 2009-09-02 23:02	--------	d-----w-	c:\documents and settings\Administrator\Application Data\VMware2009-09-02 22:19 . 2009-09-02 22:22	--------	d--h--w-	C:\$AVG8.VAULT$2009-09-02 21:01 . 2009-09-02 21:01	11952	----a-w-	c:\windows\system32\avgrsstx.dll2009-09-02 21:01 . 2009-09-02 21:01	108552	----a-w-	c:\windows\system32\drivers\avgtdix.sys2009-09-02 21:01 . 2009-09-02 21:01	335240	----a-w-	c:\windows\system32\drivers\avgldx86.sys2009-09-02 21:01 . 2009-09-02 21:01	27784	----a-w-	c:\windows\system32\drivers\avgmfx86.sys2009-09-02 21:01 . 2009-09-02 21:01	--------	d-----w-	c:\windows\system32\drivers\Avg2009-09-02 21:01 . 2009-09-03 02:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG Security Toolbar2009-09-02 21:00 . 2009-09-02 21:00	--------	d-----w-	c:\program files\AVG2009-09-02 21:00 . 2009-09-02 21:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg82009-09-02 20:46 . 2009-09-02 20:46	--------	d-----w-	c:\documents and settings\Admin\Application Data\AVG82009-09-02 19:42 . 2008-04-13 16:39	142592	-c--a-w-	c:\windows\system32\dllcache\aec.sys2009-09-02 19:42 . 2008-04-13 16:39	142592	----a-w-	c:\windows\system32\drivers\aec.sys2009-09-02 19:41 . 2009-09-02 19:41	19456	-c--a-w-	c:\windows\system32\dllcache\6to4.dll2009-09-02 19:35 . 2009-09-02 19:35	--------	d-----w-	c:\windows\system32\wbem\Repository2009-09-02 19:34 . 2009-09-02 19:34	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\Bron.tok-18-292009-09-02 19:34 . 2009-09-02 19:34	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\Bron.tok-18-242009-09-02 19:32 . 2009-09-02 19:32	--------	d-----w-	c:\windows\system32\KB9054742009-09-02 19:17 . 2009-09-02 19:30	--------	d--h--w-	c:\documents and settings\Analyst\Recent(2)2009-09-02 17:10 . 2009-09-02 19:15	--------	d-----w-	c:\documents and settings\Administrator\Application Data\AdwareAlert2009-09-02 17:09 . 2009-09-02 17:09	--------	d-----w-	C:\RECYCLER(2)2009-09-02 16:35 . 2009-09-02 19:15	--------	d-----w-	c:\documents and settings\Admin\Application Data\AdwareAlert2009-09-02 16:35 . 2009-09-02 19:15	--------	d-----w-	c:\program files\AdwareAlert2009-09-02 16:29 . 2009-09-02 16:29	91700	----a-w-	c:\windows\system32\drivers\klin.dat2009-09-02 16:29 . 2009-09-02 16:29	85860	----a-w-	c:\windows\system32\drivers\klick.dat2009-09-02 16:29 . 2009-09-03 17:36	2035744	--sha-w-	c:\windows\system32\drivers\fidbox.dat2009-09-02 16:29 . 2009-09-03 17:35	40736	--sha-w-	c:\windows\system32\drivers\fidbox2.dat2009-09-02 16:25 . 2007-06-28 07:21	206088	----a-w-	c:\windows\system32\klogon.dll2009-09-02 16:18 . 2009-09-02 16:18	--------	d-sh--w-	c:\documents and settings\Administrator\IETldCache2009-09-02 08:15 . 2009-09-02 19:18	--------	d-----w-	C:\ComboFix(2)2009-09-01 07:56 . 2009-09-01 07:56	--------	d-sh--w-	c:\documents and settings\NetworkService\PrivacIE2009-09-01 07:54 . 2009-09-01 07:54	--------	d-sh--w-	c:\documents and settings\NetworkService\IETldCache2009-08-25 21:37 . 2009-08-25 21:37	--------	d-----w-	c:\documents and settings\Vundo Reserch.SYS4\IETldCache2009-08-25 10:03 . 2009-08-26 09:30	--------	d-----w-	c:\documents and settings\Analyst\Application Data\skypePM2009-08-25 06:09 . 2009-09-02 19:34	--------	d-----w-	c:\documents and settings\Analyst\Application Data\Skype2009-08-13 07:22 . 2009-08-13 07:22	--------	d-sh--w-	c:\documents and settings\TempUser\IETldCache2009-08-12 04:16 . 2009-07-10 13:27	1315328	-c----w-	c:\windows\system32\dllcache\msoe.dll2009-08-12 03:53 . 2009-08-12 03:53	--------	d-----w-	c:\documents and settings\Analyst\Local Settings\Application Data\Yahoo2009-08-05 09:01 . 2009-08-05 09:01	204800	-c----w-	c:\windows\system32\dllcache\mswebdvd.dll2009-08-05 02:07 . 2009-08-05 02:07	--------	d-----w-	c:\documents and settings\Analyst\Local Settings\Application Data\Symantec_Corporation2009-08-05 02:07 . 2009-08-05 02:07	--------	d-----w-	c:\documents and settings\Analyst\Application Data\Symantec2009-08-04 23:51 . 2009-08-04 23:51	--------	d-----w-	c:\documents and settings\Admin\Application Data\Symantec2009-08-04 23:51 . 2009-08-04 23:51	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\Symantec_Corporation.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-09-03 17:35 . 2008-01-24 07:44	--------	d-----w-	c:\documents and settings\LocalService\Application Data\VMware2009-09-03 17:35 . 2008-01-24 07:44	--------	d-----w-	c:\documents and settings\All Users\Application Data\VMware2009-09-03 17:34 . 2009-09-02 16:29	32372	--sha-w-	c:\windows\system32\drivers\fidbox.idx2009-09-03 17:34 . 2009-09-02 16:29	7952	--sha-w-	c:\windows\system32\drivers\fidbox2.idx2009-09-03 10:32 . 2008-12-15 05:35	--------	d-----w-	c:\documents and settings\Analyst\Application Data\VMware2009-09-03 10:19 . 2008-12-15 05:18	--------	d-----w-	c:\documents and settings\Analyst\Application Data\OpenOffice.org22009-09-03 10:17 . 2008-12-15 05:09	--------	d-----w-	c:\documents and settings\Analyst\Application Data\FileZilla2009-09-03 06:20 . 2008-01-24 10:49	--------	d-----w-	c:\program files\Java2009-09-03 00:46 . 2008-07-24 10:25	--------	d-----w-	c:\documents and settings\Admin\Application Data\VMware2009-09-03 00:31 . 2008-01-24 07:59	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP2009-09-03 00:13 . 2008-01-24 08:18	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab2009-09-03 00:10 . 2009-07-24 17:49	--------	d-----w-	c:\documents and settings\Admin\Application Data\Skype2009-09-03 00:03 . 2008-05-16 12:36	--------	d-----w-	c:\documents and settings\Admin\Application Data\OpenOffice.org22009-09-03 00:01 . 2009-04-07 08:57	--------	d-----w-	c:\program files\D-Link2009-09-02 19:15 . 2009-06-03 08:22	--------	d-----w-	c:\program files\FlashGet2009-09-02 18:42 . 2006-02-28 12:00	26112	----a-w-	c:\windows\system32\userinit.exe2009-09-02 16:13 . 2006-02-28 12:00	792064	----a-w-	c:\windows\system32\comres.dll2009-09-01 00:57 . 2008-07-24 10:25	--------	d-----w-	c:\documents and settings\Admin\Application Data\FileZilla2009-08-20 19:36 . 2009-07-24 17:51	--------	d-----w-	c:\documents and settings\Admin\Application Data\skypePM2009-08-13 07:52 . 2009-07-07 12:14	4768	----a-w-	c:\windows\system32\PerfStringBackup.TMP2009-08-10 17:15 . 2008-11-12 18:40	23728	----a-w-	c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-08-08 10:20 . 2008-12-22 06:33	23728	----a-w-	c:\documents and settings\Analyst\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-08-05 09:01 . 2006-02-28 12:00	204800	----a-w-	c:\windows\system32\mswebdvd.dll2009-08-03 02:12 . 2008-02-20 20:18	--------	d-----w-	c:\program files\Microsoft Silverlight2009-07-24 23:53 . 2009-03-20 05:01	411368	----a-w-	c:\windows\system32\deploytk.dll2009-07-24 18:05 . 2008-12-04 17:26	--------	d-----w-	c:\documents and settings\Admin\Application Data\TeamViewer2009-07-24 17:51 . 2009-07-24 17:51	48	---ha-w-	c:\windows\system32\ezsidmv.dat2009-07-24 17:49 . 2009-07-24 17:49	--------	d-----w-	c:\program files\Common Files\Skype2009-07-24 17:49 . 2009-07-24 17:49	--------	d-----r-	c:\program files\Skype2009-07-24 17:49 . 2008-10-21 16:45	--------	d-----w-	c:\documents and settings\All Users\Application Data\Skype2009-07-21 09:35 . 2009-07-21 09:30	--------	d-----w-	c:\program files\Notepad++2009-07-21 09:33 . 2009-07-21 09:30	--------	d-----w-	c:\documents and settings\Analyst\Application Data\Notepad++2009-07-21 07:05 . 2009-07-21 07:05	114688	----a-w-	c:\windows\system32\calc.exe2009-07-21 06:29 . 2009-07-21 06:29	--------	d-----w-	c:\documents and settings\Analyst\Application Data\PE Explorer2009-07-21 06:29 . 2009-07-21 06:29	--------	d-----w-	c:\program files\PE Explorer2009-07-17 20:52 . 2008-01-28 17:17	--------	d-----w-	c:\program files\Google2009-07-17 20:46 . 2009-07-10 16:46	--------	d-----w-	c:\program files\Celestia2009-07-17 19:01 . 2006-02-28 12:00	58880	----a-w-	c:\windows\system32\atl.dll2009-07-17 07:22 . 2009-07-06 07:01	--------	d-----w-	c:\program files\Debugging Tools for Windows (x86)2009-07-16 03:35 . 2009-07-16 03:35	--------	d-----w-	c:\program files\AviSynth 2.52009-07-16 03:35 . 2008-03-18 10:35	--------	d-----w-	c:\program files\Replay Converter2009-07-16 03:35 . 2009-07-16 03:35	--------	d-----w-	c:\program files\Red Kawa2009-07-16 02:29 . 2009-07-16 02:29	--------	d-----w-	c:\documents and settings\Analyst\Application Data\Sony2009-07-16 02:29 . 2009-07-16 02:29	--------	d-----w-	c:\documents and settings\All Users\Application Data\Sony2009-07-16 02:29 . 2009-07-16 02:29	--------	d-----w-	c:\program files\Common Files\Sony Shared2009-07-16 02:28 . 2009-07-16 02:25	--------	d-----w-	c:\program files\Sony2009-07-16 02:25 . 2009-07-16 02:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\Sony Corporation2009-07-16 02:24 . 2009-07-16 02:24	--------	d-----w-	c:\program files\Sony Setup2009-07-14 16:46 . 2009-07-14 16:46	--------	d-----w-	c:\program files\DiskInternals2009-07-13 18:13 . 2006-02-28 12:00	286208	----a-w-	c:\windows\system32\wmpdxm.dll2009-07-09 17:21 . 2009-07-08 01:04	--------	d-sh--w-	c:\documents and settings\All Users\Application Data\MPK2009-07-08 02:41 . 2009-07-07 12:18	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help2009-07-07 12:21 . 2009-07-07 12:21	--------	d-----w-	c:\program files\Microsoft SQL Server2009-07-07 12:21 . 2009-07-07 12:21	--------	d-----w-	c:\program files\Microsoft Synchronization Services2009-07-07 12:19 . 2009-07-07 12:18	--------	d-----w-	c:\program files\Microsoft Visual Studio 9.02009-07-07 12:18 . 2009-07-07 12:18	--------	d-----w-	c:\program files\Microsoft.NET2009-07-07 12:17 . 2009-07-07 12:17	--------	d-----w-	c:\program files\Microsoft SDKs2009-07-07 12:16 . 2009-07-07 12:16	--------	d-----w-	c:\program files\MSBuild2009-07-07 12:16 . 2009-07-07 12:16	--------	d-----w-	c:\program files\Reference Assemblies2009-07-07 12:12 . 2009-07-07 12:12	--------	d-----w-	c:\program files\MSXML 6.02009-07-06 07:19 . 2008-01-24 05:37	--------	d-----w-	c:\program files\Intel2009-07-03 17:09 . 2006-02-28 12:00	915456	----a-w-	c:\windows\system32\wininet.dll2009-06-25 08:25 . 2006-02-28 12:00	730112	----a-w-	c:\windows\system32\lsasrv.dll2009-06-25 08:25 . 2006-02-28 12:00	56832	----a-w-	c:\windows\system32\secur32.dll2009-06-25 08:25 . 2006-02-28 12:00	54272	----a-w-	c:\windows\system32\wdigest.dll2009-06-25 08:25 . 2006-02-28 12:00	301568	----a-w-	c:\windows\system32\kerberos.dll2009-06-25 08:25 . 2006-02-28 12:00	147456	----a-w-	c:\windows\system32\schannel.dll2009-06-25 08:25 . 2006-02-28 12:00	136192	----a-w-	c:\windows\system32\msv1_0.dll2009-06-24 11:18 . 2006-02-28 12:00	92928	----a-w-	c:\windows\system32\drivers\ksecdd.sys2009-06-23 17:15 . 2009-06-23 17:15	185344	----a-w-	c:\windows\system32\drivers\KeDetective130.sys2009-06-16 14:36 . 2006-02-28 12:00	81920	----a-w-	c:\windows\system32\fontsub.dll2009-06-16 14:36 . 2006-02-28 12:00	119808	----a-w-	c:\windows\system32\t2embed.dll2009-06-12 12:31 . 2006-02-28 12:00	80896	----a-w-	c:\windows\system32\tlntsess.exe2009-06-12 12:31 . 2006-02-28 12:00	76288	----a-w-	c:\windows\system32\telnet.exe2009-06-10 14:13 . 2006-02-28 12:00	84992	----a-w-	c:\windows\system32\avifil32.dll2009-06-10 06:14 . 2006-02-28 12:00	132096	----a-w-	c:\windows\system32\wkssvc.dll2009-06-10 03:49 . 2008-01-24 03:25	2066432	----a-w-	c:\windows\system32\mstscax.dll2008-04-14 00:12 . 2006-02-28 12:00	1384479	--sh--r-	c:\windows\system32\msvbvm60.dll2008-10-29 04:46 . 2008-10-29 04:46	10	--sh--r-	c:\windows\system32\sistem.sys.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]2009-07-24 04:25	1090816	----a-w-	c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816][HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Live Person"="c:\program files\LivePerson\hc.exe" [2008-01-30 5476352]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-01 198160]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-02 2007832]"D-Link Air USB Utility"="c:\program files\D-Link\Air USB Utility\AirCFG.exe" [2003-07-23 2695168]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]c:\documents and settings\Admin\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]c:\documents and settings\Vundo Reserch.SYS4\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]Send Mail_dumpfolder.exe.lnk - d:\vundo research\Report Error\Send Mail_dumpfolder.exe [2008-11-18 257697]c:\documents and settings\Venkatesh\Start Menu\Programs\Startup\LivePerson.lnk - c:\program files\LivePerson\hc.exe [2008-6-2 5476352]c:\documents and settings\Analyst\Start Menu\Programs\Startup\Kuma_Tray.lnk - c:\program files\Kuma Games\kgsystray\Kuma_tray.exe [2009-9-3 33992][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5B0C7E2C-3257-4619-8282-A173017B16E2}"= "c:\windows\Downloaded Program Files\qvSPdARs5PQNKAzvezTuPcs.cur" [2009-09-02 17010][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-09-02 21:01	11952	----a-w-	c:\windows\system32\avgrsstx.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TL-WN321G Wireless Utility.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TL-WN321G Wireless Utility.lnkbackup=c:\windows\pss\TL-WN321G Wireless Utility.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"WLSetupSvc"=3 (0x3)"usnjsvc"=3 (0x3)"iPod Service"=3 (0x3)"SbieSvc"=2 (0x2)"mysql"=2 (0x2)"JavaQuickStarterService"=2 (0x2)"Apache2.2"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\WINDOWS\\system32\\vmnat.exe"="c:\\Program Files\\Google\\Google Talk\\googletalk.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\VMware\\VMware Workstation\\vmnat.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\Program Files\\LivePerson\\hc.exe"="c:\\WINDOWS\\system32\\mmc.exe"="c:\\Program Files\\Rediff Bol\\RediffMessenger.exe"="c:\\Program Files\\JustVoip.com\\JustVoip\\JustVoip.exe"="c:\\WINDOWS\\system32\\ftp.exe"="c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"="c:\\Program Files\\eMule\\emule.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"="c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Sony\\Media Manager for PSP\\MediaManager.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/20/2009 10:53 AM 55152]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/25/2008 1:08 AM 210216]R2 NIOC;NIOC Service;c:\windows\system32\NIOC.sys [9/27/2002 6:21 PM 22912]R2 WZCBDLService;WZCBDL Service;c:\program files\WZCBDL Service\WZCBDLS.exe [3/19/2002 12:15 PM 36864]R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/4/2007 2:58 PM 24344]S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 5:30 PM 14336]S3 fakerdtsc.sys;RDTSC ring0 killer;c:\documents and settings\Analyst\My Documents\Softwares\Disassembler & Debugging\OllyDBG_CiM's Edition\fakerdtsc.sys [7/9/2009 2:37 PM 1696]S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]S3 rkhdrv40;Rootkit Unhooker Driver; [x]S3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [1/13/2008 5:23 PM 92160]S4 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [12/10/2008 4:40 AM 49152]--- Other Services/Drivers In Memory ---*NewlyCreated* - 6TO4*NewlyCreated* - WMISVC[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-02-07 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:04]2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-179605362-725345543-1014Core.job- c:\documents and settings\Analyst\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-19 06:27]2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-179605362-725345543-1014UA.job- c:\documents and settings\Analyst\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-19 06:27]2009-09-03 c:\windows\Tasks\User_Feed_Synchronization-{533390C2-90AB-4E4A-ABC3-A8C3FFD733FA}.job- c:\windows\system32\msfeedssync.exe [2009-03-07 23:01].- - - - ORPHANS REMOVED - - - -ShellExecuteHooks-{A6B7F435-38B4-4DCC-9EBF-21C968ECF4FD} - c:\windows\system32\S9UQCTA4tnRSJhfxC7Vfj.infShellExecuteHooks-{A600E212-2A41-41BC-92F1-ED5C96B06185} - c:\windows\system32\sDV2mGwkejdKa74QJzsjw.infShellExecuteHooks-{610B6886-2A1A-475A-A842-65A613C70460} - c:\windows\system32\SrNRKs5F7Rkv9hp.infShellExecuteHooks-{765BA0B5-EBE4-4B1A-AFDA-5683606F626C} - c:\windows\system32\pj83ZgsqjcWUNwjrRp42tFw.dllShellExecuteHooks-{7F41BC77-7742-4ABF-9277-1316B43D049A} - c:\windows\system32\kFDDTTA2NjqgtbCWBxS.infShellExecuteHooks-{CE38B9E6-AF0C-4B93-AFAB-A20C2311FFD0} - c:\windows\system32\X5T4kV8DNmMbdRXAUx82K.infShellExecuteHooks-{ECC00636-8C3B-4D8D-B271-AAA6DF9505CD} - c:\windows\system32\Am274u6Rqq2cTzTpjCGKy.infShellExecuteHooks-{41D2953A-CB90-485A-8673-6975088309F7} - c:\windows\system32\fRWSJda7RbSuR3jFSmMBy.infShellExecuteHooks-{72236771-3891-46BF-B185-1D816A09333F} - c:\windows\system32\CRZfQurd2g58gXVgHSDbNhU.inf.------- Supplementary Scan -------.IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htmIE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htmIE: Add to Windows &Live Favorites - [url="http://favorites.live.com/quickadd.aspx"]http://favorites.live.com/quickadd.aspx[/url]FF - ProfilePath - c:\documents and settings\Analyst\Application Data\Mozilla\Firefox\Profiles\t7hkcp9c.default\FF - prefs.js: keyword.URL - hxxp://aa.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_aa&p=FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dllFF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dllFF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dllFF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dllFF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dllFF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dllFF - plugin: c:\documents and settings\Analyst\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dllFF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2009-09-03 23:06Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...  scanning hidden autostart entries ... scanning hidden files ...  scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Akamai]"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3553.dll"[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Akamai]"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3553.dll".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-1292428093-179605362-725345543-1014\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]"FRT"="MBgA9sFPv6x+fO/2XQOOge72E7mKl/eHW73FPUpBULnIKhteTBCCLg==""PLCK"="e4GuuyHWSMWbHSDD46+r/l213zh8LtvH""Percents"="0 0.081 0.3144 0.498 0.6329 0.7126 0.7193 ""Increment"=".006897""PHSH"="".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1180)c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dllc:\windows\system32\klogon.dllc:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll- - - - - - - > 'lsass.exe'(1236)c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dllc:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll- - - - - - - > 'explorer.exe'(3856)c:\windows\system32\WININET.dllc:\program files\McAfee\SiteAdvisor\saHook.dllc:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dllc:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dllc:\windows\system32\msi.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\VMware\VMware Workstation\vmware-authd.exec:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exec:\windows\system32\vmnat.exec:\windows\system32\vmnetdhcp.exec:\windows\system32\wbem\wmiapsrv.exec:\program files\AVG\AVG8\avgtray.exec:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2009-09-03 23:09 - machine was rebootedComboFix-quarantined-files.txt  2009-09-03 17:39ComboFix2.txt  2009-08-27 10:42Pre-Run: 11,017,158,656 bytes freePost-Run: 11,179,839,488 bytes free444	--- E O F ---	2009-09-03 10:33


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:26 AM

Posted 19 September 2009 - 06:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:26 AM

Posted 26 September 2009 - 08:50 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users