Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix log


  • Please log in to reply
1 reply to this topic

#1 patrik777

patrik777

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 02 June 2010 - 06:38 AM

I ran combofix and I would like a little help with the log

ComboFix 10-06-01.01 - Owner 02.06.2010 11:57:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2941 [GMT 2:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-06-01 15:53 . 2010-06-02 09:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-01 15:53 . 2010-06-02 09:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-31 21:03 . 2010-05-31 21:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2010-05-31 20:37 . 2010-05-31 20:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Labcenter Electronics
2010-05-31 16:21 . 2010-05-31 16:21 -------- d-----w- c:\program files\Common Files\Labcenter Electronics
2010-05-31 16:21 . 2005-10-18 15:36 54784 ----a-w- c:\windows\system32\INETWH32.DLL
2010-05-31 16:21 . 2005-10-18 15:36 1048576 ----a-w- c:\windows\system32\ROBOEX32.DLL
2010-05-31 16:21 . 2010-05-31 16:21 -------- d-----w- c:\program files\Labcenter Electronics
2010-05-29 20:27 . 2010-05-29 20:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Octoshape
2010-05-22 14:18 . 2010-05-22 14:18 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6760beae-n\msvcp71.dll
2010-05-22 14:18 . 2010-05-22 14:18 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6760beae-n\jmc.dll
2010-05-22 14:18 . 2010-05-22 14:18 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6760beae-n\msvcr71.dll
2010-05-22 14:18 . 2010-05-22 14:18 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b353c29-n\decora-sse.dll
2010-05-22 14:18 . 2010-05-22 14:18 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b353c29-n\decora-d3d.dll
2010-05-20 23:24 . 2010-05-20 23:24 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-05-20 14:34 . 2010-05-21 06:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-20 08:10 . 2010-05-20 08:10 -------- d-----w- c:\windows\system32\URTTEMP
2010-05-20 08:00 . 2003-07-01 16:47 9856 ------w- c:\windows\system32\drivers\pfc.sys
2010-05-20 08:00 . 2010-05-20 09:53 -------- d-----w- C:\pdwork
2010-05-13 11:20 . 2010-05-20 09:53 -------- d-----w- C:\Prezentacija
2010-05-13 02:49 . 2010-05-13 02:49 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ABBYY
2010-05-13 02:49 . 2010-05-13 02:49 -------- d-----w- c:\documents and settings\Owner\Application Data\ABBYY
2010-05-13 02:48 . 2010-05-13 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ABBYY
2010-05-13 02:47 . 2010-05-28 17:35 -------- d-----w- c:\program files\ABBYY FineReader 7.0 Professional Edition
2010-05-12 22:56 . 2010-05-12 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2010-05-12 22:56 . 2010-05-12 22:56 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2010-05-12 22:55 . 2010-05-12 22:55 -------- d-----w- c:\program files\Common Files\Macromedia
2010-05-12 22:55 . 2010-05-12 22:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Macromedia
2010-05-12 22:55 . 2010-05-12 22:55 -------- d-----w- c:\program files\Macromedia
2010-05-06 21:41 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-31 16:21 . 2009-05-20 17:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-29 16:01 . 2009-12-29 22:25 -------- d-----w- c:\program files\HTMLValidatorLite80
2010-05-28 17:36 . 2009-08-23 22:50 -------- d-----w- c:\program files\Sony
2010-05-22 19:39 . 2009-05-27 12:10 -------- d-----w- c:\program files\PokerStars
2010-05-20 08:30 . 2009-10-16 13:03 -------- d-----w- c:\documents and settings\Owner\Application Data\CyberLink
2010-05-20 08:05 . 2009-08-23 22:50 -------- d-----w- c:\program files\Sony Setup
2010-05-20 08:00 . 2009-05-21 07:18 -------- d-----w- c:\program files\CyberLink
2010-05-15 20:41 . 2009-08-13 19:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-12 22:55 . 2009-05-20 17:20 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-12 06:48 . 2009-08-20 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-05-10 21:54 . 2010-01-13 17:20 -------- d-----w- c:\program files\Garena
2010-05-06 21:41 . 2009-05-21 07:20 -------- d-----w- c:\program files\Java
2010-04-22 10:04 . 2010-04-22 10:04 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-04-21 15:38 . 2010-04-21 15:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-04-21 13:59 . 2010-04-21 13:59 -------- d-----w- c:\program files\audio codec
2010-04-19 07:43 . 2010-04-19 07:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Capcom
2010-04-16 18:00 . 2010-04-22 10:04 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-04-16 15:13 . 2010-04-16 15:13 -------- d-----w- c:\program files\WMV9_VCM
2010-04-13 19:37 . 2009-12-23 19:53 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-04-13 00:30 . 2010-04-13 00:29 -------- d-----w- c:\documents and settings\Owner\Application Data\fretsonfire
2010-04-06 15:24 . 2009-05-21 07:20 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 15:01 . 2010-04-02 18:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-04-04 14:55 . 2009-10-22 14:47 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-03-16 09:33 . 2010-04-21 13:44 52224 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hmpgpc5f.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll
2010-03-16 09:33 . 2010-04-21 13:44 101376 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hmpgpc5f.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\RadioWMPCore.dll
.

------- Sigcheck -------

[-] 2008-01-25 . 9F960FAC5166F8626B9CDE4DD9A0EB84 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-11-24 2923192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m|\" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-03-21 91432]
"GNConfig"="c:\program files\GIGABYTE\Gigabyte Super Wireless LAN Card\GNConfig.exe" [2008-06-19 393216]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-18 76304]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-10-02 611712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-7-24 809488]
Update Scheduler for Proteus Professional 7.lnk - c:\program files\Labcenter Electronics\Proteus 7 Professional\BIN\UDSCHED.EXE [2010-5-31 65564]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-18 22:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\dc\\StrongDC.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Igre\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe"=
"d:\\Igre\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Igre\\World of Warcraft Public Test\\WoW-0.3.0.10522-enGB-ptr-downloader.exe"=
"d:\\Igre\\World of Warcraft Public Test\\WoW-0.3.0.10522-to-0.3.0.10554-enGB-ptr-downloader.exe"=
"d:\\Igre\\World of Warcraft Public Test\\Launcher.exe"=
"d:\\Igre\\World of Warcraft Public Test\\WoW-0.3.0.10554-to-0.3.0.10571-enGB-ptr-downloader.exe"=
"d:\\Igre\\World of Warcraft Public Test\\WoW-0.3.0.10571-to-0.3.0.10596-enGB-ptr-downloader.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"d:\\Program Files\\Zend\\ZendStudio-5.5.1\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"59062:TCP"= 59062:TCP:Pando Media Booster
"59062:UDP"= 59062:UDP:Pando Media Booster

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8.6.2009 15:12 721904]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [1.2.2008 17:24 41456]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [25.3.2010 11:37 135336]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [30.3.2010 11:16 1107336]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [24.1.2010 19:20 36608]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Owner\LOCALS~1\Temp\XVF58.tmp --> c:\docume~1\Owner\LOCALS~1\Temp\XVF58.tmp [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52c2952e-542e-11de-98db-c9024e0e163c}]
\Shell\AutoRun\command - g:\_autorun\AUTORUN.EXE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Zend Studio - Debug current page - d:\program files\Zend\ZendStudio-5.5.1\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - d:\program files\Zend\ZendStudio-5.5.1\bin\ZendIEToolbar.dll/DebugNext.html
TCP: {C2CA7B52-48AE-4A2D-8C28-10E8AEDAE563} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hmpgpc5f.default\
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hmpgpc5f.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hmpgpc5f.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\Softonic-Eng7\tbSoft.dll
BHO-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\Softonic-Eng7\tbSoft.dll
Toolbar-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\Softonic-Eng7\tbSoft.dll
HKLM-Run-Launch LCDMon - c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe
HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Softonic-Eng7 Toolbar - c:\progra~1\SOFTON~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 12:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7081F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf10
\Driver\ACPI -> ACPI.sys @ 0xb7e66cb8
\Driver\atapi -> 0x8a7081f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb7d04ba0
PacketIndicateHandler -> NDIS.sys @ 0xb7d11b21
SendHandler -> NDIS.sys @ 0xb7cef87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Owner\LOCALS~1\Temp\XVF58.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4016)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\acs.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-02 12:02:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-02 10:02

Pre-Run: 38.540.185.600 bytes free
Post-Run: 38.532.829.184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
c:\wubildr.mbr="Ubuntu"

- - End Of File - - 3F59EC16B4E732861C4CBDDA7BBB8C0A


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:34 AM

Posted 06 June 2010 - 09:52 AM

Hello patrik777

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %SYSTEMDRIVE%\sfcfiles.* /s /md5
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Edited by kahdah, 06 June 2010 - 09:52 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users