Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seres.exe virus, ran combofix, can't seem to completely get rid of it


  • This topic is locked This topic is locked
1 reply to this topic

#1 ri0thex

ri0thex

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 26 October 2009 - 03:42 PM

Yeah I found combofix and ran it because I've had the securitytool/antivirus2010 trojan for about a week now, everything I've tried doesn't seem to work. I've tried to get rid of it manually, as well as using virus scanners/malware cleaning tools, and like I said I recently tried combofix. It seems to clean it out whenever it finishes running, but once I restart it just keeps coming back. Here is the log from combofix, what can I do to fix this problem for good? I can't really reformat because I lost my CDs to do so awhile ago, so you fellas are my last hope :(.

ComboFix 09-10-25.02 - Spyder 10/26/2009 15:42.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1279.698 [GMT -4:00]
Running from: c:\documents and settings\Spyder\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Spyder\Application Data\lizkavd.exe
c:\documents and settings\Spyder\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Spyder\Application Data\seres.exe
c:\documents and settings\Spyder\Application Data\svcst.exe
c:\documents and settings\Spyder\Application Data\wiaserva.log
c:\documents and settings\Spyder\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Spyder\restorer64_a.exe
c:\documents and settings\Spyder\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Spyder\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Spyder\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\windows\system32\_scui.cpl
c:\windows\system32\restorer64_a.exe

Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\agp440.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkyptoaowrk
-------\Service_gasfkyptoaowrk


((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 20:03 . 2009-10-26 20:03 94112 -c--a-w- c:\windows\system32\dllcache\agp440.sys
2009-10-26 19:42 . 2004-08-04 05:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-26 19:42 . 2004-08-04 05:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-26 05:41 . 2009-10-26 20:06 221216 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-26 05:41 . 2009-10-26 20:01 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-26 04:02 . 2009-10-26 20:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-26 04:00 . 2009-10-26 04:00 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-25 21:18 . 2009-10-25 21:18 -------- d-----w- C:\$WIN_NT$.~BT
2009-10-25 20:03 . 2009-10-25 20:03 -------- d-----w- c:\program files\Trend Micro
2009-10-24 23:50 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-24 23:47 . 2009-10-24 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-24 18:56 . 2006-11-08 02:01 66048 ----a-w- c:\windows\ieResetIcons.exe
2009-10-23 22:48 . 2009-10-23 22:48 -------- d-----w- c:\documents and settings\Spyder\Application Data\Registry Mechanic
2009-10-21 22:54 . 2009-10-23 06:29 -------- d-----w- c:\program files\PowerISO
2009-10-21 22:46 . 2009-10-21 22:46 -------- d-----w- c:\documents and settings\Spyder\Application Data\ImgBurn
2009-10-21 22:44 . 2009-10-21 22:44 -------- d-----w- c:\program files\ImgBurn
2009-10-21 10:40 . 2009-10-21 10:40 -------- d-----w- c:\documents and settings\Spyder\Application Data\Malwarebytes
2009-10-21 10:39 . 2009-10-21 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 10:39 . 2009-10-26 05:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 09:19 . 2009-10-21 09:45 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-21 09:19 . 2009-10-21 09:45 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-21 09:17 . 2009-10-26 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-10-21 09:17 . 2009-10-21 09:17 -------- d-----w- c:\program files\Kaspersky Lab
2009-10-21 09:09 . 2009-10-21 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-10-07 23:46 . 2009-10-18 19:25 -------- d-----w- c:\program files\City of Heroes
2009-09-30 04:12 . 2009-09-30 04:12 -------- d-----w- c:\program files\LucasArts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 20:06 . 2009-10-26 05:41 1808 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-26 20:03 . 2001-08-17 13:58 94112 ----a-w- c:\windows\system32\drivers\AGP440.sys
2009-10-26 20:01 . 2009-10-26 05:41 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-25 19:26 . 2009-09-24 04:59 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2009-10-25 19:20 . 2004-12-09 01:14 -------- d-----w- c:\program files\Lavasoft
2009-10-25 19:20 . 2004-12-09 01:15 -------- d-----w- c:\documents and settings\Spyder\Application Data\Lavasoft
2009-10-21 09:45 . 2008-01-29 21:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-21 09:29 . 2004-07-19 00:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-21 09:12 . 2004-07-19 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-18 19:40 . 2003-06-05 03:07 -------- d-----w- c:\program files\Yahoo!
2009-10-18 19:38 . 2003-12-16 21:30 -------- d-----w- c:\program files\XiRCON
2009-10-18 19:36 . 2007-02-24 16:05 -------- d-----w- c:\program files\Common Files\Intuit
2009-10-18 19:35 . 2003-05-13 07:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-18 19:34 . 2003-12-16 22:23 -------- d-----w- c:\program files\mIRC
2009-10-18 19:32 . 2003-09-16 18:30 -------- d-----w- c:\program files\Steam
2009-10-18 19:27 . 2007-03-22 04:02 -------- d-----w- c:\program files\HLSW
2009-10-18 19:26 . 2004-01-30 23:55 -------- d-----w- c:\program files\Winamp
2009-10-12 22:23 . 2006-11-27 01:07 -------- d-----w- c:\program files\World of Warcraft
2009-10-01 23:42 . 2007-09-27 02:53 -------- d-----w- c:\program files\SystemRequirementsLab
2009-09-23 01:20 . 2009-09-23 01:09 -------- d-----w- c:\program files\Screaming Bee
2009-09-23 01:18 . 2004-10-08 21:41 -------- d-----w- c:\program files\Google
2009-09-23 01:13 . 2009-09-23 01:11 -------- d-----w- c:\documents and settings\Spyder\Application Data\Screaming Bee
2009-09-23 01:13 . 2009-09-23 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee
2009-09-22 21:37 . 2009-09-22 21:13 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2009-09-16 20:14 . 2007-05-10 19:48 -------- d-----w- c:\program files\Full Tilt Poker
2009-09-16 20:12 . 2007-05-18 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-16 20:12 . 2007-05-18 02:23 -------- d-----w- c:\program files\McAfee
2009-09-16 20:12 . 2003-05-13 08:00 -------- d-----w- c:\program files\McAfee.com
2009-09-16 19:26 . 2009-09-16 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-09-16 18:47 . 2009-09-11 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-16 00:46 . 2003-05-16 00:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-16 00:46 . 2003-05-16 00:51 -------- d-----w- c:\program files\Symantec
2009-09-12 00:34 . 2004-04-09 21:19 -------- d-----w- c:\program files\LimeWire
2009-09-11 23:40 . 2009-09-11 23:40 -------- d-----w- c:\program files\Windows Sidebar
2009-09-11 23:39 . 2009-09-11 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-28 20:14 . 2009-08-28 20:14 -------- d-----w- c:\program files\AP Tuner
2009-08-24 08:06 . 2009-08-24 08:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-24 08:03 . 2009-08-24 08:03 152576 ----a-w- c:\documents and settings\Spyder\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 09:11 . 2004-01-27 03:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2002-09-03 17:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2002-09-03 16:33 82432 ----a-w- c:\windows\system32\fontsub.dll
2005-09-10 00:55 . 2007-02-08 18:43 37766164 ----a-w- c:\program files\Data1.cab
2009-07-25 19:08 . 2009-07-25 19:08 52224 --sha-w- c:\windows\SYSTEM32\difodime.dll
2009-07-26 05:24 . 2009-07-26 05:24 89600 --sha-w- c:\windows\SYSTEM32\fatenuva.dll
2009-07-25 19:09 . 2009-07-25 19:09 52224 --sha-w- c:\windows\SYSTEM32\jijuwajo.dll
.

------- Sigcheck -------

[-] 2009-10-26 20:03 . 67A64CDF111144F04932946930668A82 . 94112 . . [------] . . c:\windows\SYSTEM32\DLLCACHE\agp440.sys
[-] 2009-10-26 20:03 . 67A64CDF111144F04932946930668A82 . 94112 . . [------] . . c:\windows\SYSTEM32\DRIVERS\AGP440.sys
[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[7] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\agp440.sys
[-] 2002-09-03 . 65880045C51AA36184841CEE915A61DF . 25472 . . [5.1.2600.0] . . c:\windows\$NtServicePackUninstall$\agp440.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-26_06.17.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-26 20:03 . 2009-10-26 20:03 23552 c:\windows\temp\wpv311255703227.exe
+ 2009-10-26 20:03 . 2009-10-26 20:03 58729 c:\windows\temp\wpv241256085323.exe
+ 2009-10-26 20:02 . 2009-10-26 20:02 16384 c:\windows\temp\Perflib_Perfdata_7b0.dat
+ 2002-09-03 07:08 . 2009-10-26 19:43 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 07:08 . 2009-10-26 05:44 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2002-09-03 07:08 . 2009-10-26 19:43 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 07:08 . 2009-10-26 05:44 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-10-26 19:28 . 2009-10-26 19:43 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-10-14 3217368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-11 111816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-10-21 208616]
"restorer64_a"="c:\windows\system32\restorer64_a.exe" [BU]
"Regedit32"="c:\windows\system32\regedit.exe" [BU]

c:\documents and settings\Spyder\Start Menu\Programs\Startup\
zavupd32.exe [2004-8-4 17408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"nosimplestartmenu"= 0 (0x0)
"norecentdochistory"= 0 (0x0)
"maxrecentdocs"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spyder^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Spyder\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spyder^Start Menu^Programs^Startup^zavupd32.exe]
path=c:\documents and settings\Spyder\Start Menu\Programs\Startup\zavupd32.exe
backup=c:\windows\pss\zavupd32.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spyder^Start Menu^Programs^Startup^ZMatrix.lnk]
backup=c:\windows\pss\ZMatrix.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\JavaSoft\\JRE\\1.3.1_04\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Steam\\SteamApps\\slipknot27492349@netscape.net\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\[japs]hex\\counter-strike source beta\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\slipknot27492349@netscape.net\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\slipknot27492349@netscape.net\\half-life 2\\hl2.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Steam\\Steam-Down.exe"=
"c:\\Program Files\\Steam\\SteamApps\\slipknot27492349@netscape.net\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\slipknot27492349@netscape.net\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Dobermann\\Halozero\\halozero.exe"=
"c:\\Documents and Settings\\Spyder\\My Documents\\scarletspyderman\\2d\\CounterStrike2D.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\slipknot27492349@netscape.net\\condition zero\\hl.exe"=
"c:\\Program Files\\Codemasters\\RF Online\\RF.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\Steam\\SteamApps\\sppainter@alltel.net\\day of defeat\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\sppainter@alltel.net\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\sppainter@alltel.net\\day of defeat source\\hl2.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Steam\\SteamApps\\sppainter@alltel.net\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\sppainter@alltel.net\\counter-strike source beta\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\SteamApps\\sppainter@alltel.net\\team fortress classic\\hl.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\sppainter@alltel.net\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\FTP Commander\\ftpcomm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\sppainter@alltel.net\\source sdk base\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\max payne\\maxpayne.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\max payne 2 the fall of max payne\\maxpayne2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [1/29/2008 5:29 PM 33808]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [10/24/2009 7:50 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1170768]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/17/2009 9:59 PM 210216]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [10/26/2009 12:00 AM 583640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [4/30/2008 5:06 PM 24592]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\SYSTEM32\DRIVERS\ScreamingBAudio.sys [3/27/2009 2:23 PM 23064]
S2 nixaafmvghnft;nixaafmvghnft;\??\c:\windows\system32\drivers\qytywyvu.sys --> c:\windows\system32\drivers\qytywyvu.sys [?]
S2 ptssvc;ptssvc;c:\program files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe --> c:\program files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [?]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\Spyder\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\Spyder\LOCALS~1\Temp\cdiskdun.sys [?]
S3 L2XPSR;L2XPSR;\??\c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS --> c:\progra~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 23:49]

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1503959810-2191407964-1658531424-1006Core.job
- c:\documents and settings\Spyder\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-18 01:53]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1503959810-2191407964-1658531424-1006UA.job
- c:\documents and settings\Spyder\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-18 01:53]

2009-10-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-05-16 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu
IE: &Google Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links
IE: Cached Snapshot of Page
IE: LimeShop Preferences - file://c:\program files\LimeShop\System\Temp\limeshop_script0.htm
IE: Similar Pages
IE: Translate into English
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} - hxxps://care.alltel.com/lwp/static/installers/WebflowActiveXInstaller_3-0-0.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 16:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1503959810-2191407964-1658531424-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:25,42,4f,86,99,43,91,fb,6d,4f,02,43,22,a6,b1,75,ba,c7,19,dd,16,95,6b,
d6,01,00,f6,3d,d0,dc,71,33,01,73,24,5f,6b,4c,0e,4a,cd,b3,5e,44,61,cc,91,6a,\
"??"=hex:0a,44,a4,49,39,39,7b,e3,54,77,5e,a8,f8,f1,00,d3

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2920)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\Temp\wpv311255703227.exe
c:\windows\System32\wbem\unsecapp.exe
c:\combofix\CF2478.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-26 16:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-26 20:25
ComboFix2.txt 2009-10-26 06:36

Pre-Run: 38,718,894,080 bytes free
Post-Run: 38,679,658,496 bytes free

- - End Of File - - 4FB0FFE592B8CDF6A462F70B59E5C745

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2009 - 04:36 PM

Hello ri0thex,

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
The BC Staff




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users