Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log (Patched.FL/AntimalwareDoctor/explorer.exe infection)


  • This topic is locked This topic is locked
2 replies to this topic

#1 realmfighter

realmfighter

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 11 September 2010 - 04:11 PM

Hi,

I had several trojans/viruses detected so I ran combofix and it has seemed to solve the problems, but please can you take a look at the log to check everything is ok:

ComboFix 10-09-11.02 - Jonny 11/09/2010 21:37:06.1.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1658 [GMT 1:00]
Running from: c:\documents and settings\Jonny\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jonny\Application Data\9C004B492AF9A1EF0A6563BF3F1389D7
c:\documents and settings\Jonny\Application Data\9C004B492AF9A1EF0A6563BF3F1389D7\enemies-names.txt
c:\documents and settings\Jonny\Application Data\9C004B492AF9A1EF0A6563BF3F1389D7\local.ini
c:\documents and settings\Jonny\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
c:\documents and settings\Jonny\Application Data\xkbyfvlcj
c:\documents and settings\Jonny\Application Data\xkbyfvlcj\ejpoqkcshdw.exe
c:\documents and settings\Jonny\Desktop\Antimalware Doctor.lnk
c:\documents and settings\Jonny\Local Settings\Application Data\Windows Server
c:\documents and settings\Jonny\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Jonny\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Jonny\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Jonny\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Jonny\Local Settings\Application Data\xkbyfvlcj
c:\documents and settings\Jonny\Local Settings\Application Data\xkbyfvlcj\ejpoqkcshdw.exe
c:\documents and settings\Jonny\Start Menu\Antimalware Doctor.lnk
c:\documents and settings\Jonny\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Jonny\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Jonny\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\program files\RelevantKnowledge
c:\program files\RelevantKnowledge\chrome.manifest
c:\program files\RelevantKnowledge\components\rlxg.dll
c:\program files\RelevantKnowledge\install.rdf
c:\program files\RelevantKnowledge\MSVCP71.DLL
c:\program files\RelevantKnowledge\MSVCR71.DLL
c:\program files\RelevantKnowledge\rlls.dll
c:\program files\RelevantKnowledge\rlls64.dll
c:\program files\RelevantKnowledge\rloci.bin
c:\program files\RelevantKnowledge\rlph.dll
c:\program files\RelevantKnowledge\rlservice.exe
c:\program files\RelevantKnowledge\rlvknlg.exe
c:\program files\RelevantKnowledge\rlvknlg64.exe
c:\program files\RelevantKnowledge\rlxf.dll
c:\windows\amewofeh.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-08-27 13:15 . 2010-08-27 13:15 265216 ----a-w- c:\windows\ejpoqkcshdw.exe
2010-08-24 12:15 . 2010-08-24 12:17 -------- d-----w- C:\pskg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 20:49 . 2010-07-12 17:23 -------- d-----w- c:\program files\Common Files\Akamai
2010-09-11 20:26 . 2009-05-23 13:19 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 20:04 . 2004-08-04 12:00 8832 ----a-w- c:\windows\system32\drivers\RasAcd.sys
2010-07-30 15:11 . 2010-07-30 14:59 -------- d-----w- c:\program files\Mimosa-Free
2010-07-30 12:03 . 2009-07-07 12:45 -------- d-----w- c:\documents and settings\Jonny\Application Data\MySQL
2010-07-22 10:21 . 2009-05-23 13:59 83528 ----a-w- c:\documents and settings\Jonny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 17:57 . 2010-07-21 17:56 -------- d-----w- c:\program files\RazorSQL
2010-07-21 15:25 . 2009-06-14 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-19 23:56 . 2010-07-19 23:56 -------- d-----w- c:\documents and settings\Jonny\Application Data\com.belator.belatormediaplayer.F2351CC36FE58493BDC23E3A0AF536C52FCA79EE.1
2010-07-19 23:56 . 2010-07-19 23:56 -------- d-----w- c:\program files\Belator Media Player
2010-07-19 19:32 . 2010-07-19 19:32 -------- d-----w- c:\program files\Simpo PDF to Word
2010-07-19 19:32 . 2010-07-19 19:32 -------- d-----w- c:\documents and settings\Jonny\Application Data\GetRightToGo
2010-07-18 23:33 . 2009-10-21 20:09 -------- d-----w- c:\program files\Messenger Plus! Live
2010-07-18 23:32 . 2010-07-18 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2010-07-18 23:30 . 2009-06-04 17:17 -------- d-----w- c:\program files\Hotspot Shield
2010-07-18 23:27 . 2009-06-06 10:51 -------- d-----w- c:\program files\ArtMoney
2010-07-18 23:27 . 2010-07-14 19:04 -------- d-----w- c:\program files\CurrencyXchanger
2010-07-18 23:27 . 2009-06-25 21:01 -------- d-----w- c:\program files\DivX
2010-07-18 23:27 . 2009-11-13 19:32 -------- d-----w- c:\program files\GreenScreenWizardPro
2010-07-18 23:27 . 2009-05-27 15:10 -------- d-----w- c:\program files\FXhome EffectsLab Lite
2010-07-18 23:27 . 2009-06-27 18:23 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-18 23:27 . 2010-07-11 23:33 -------- d-----w- c:\program files\QuickTime
2010-07-18 23:27 . 2009-07-21 19:41 -------- d-----w- c:\program files\roomMaster
2010-07-18 23:27 . 2009-07-28 21:36 -------- d-----w- c:\program files\Steam
2010-07-18 23:24 . 2009-05-23 13:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-18 23:23 . 2010-07-18 23:23 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2010-07-18 23:23 . 2009-05-23 21:20 -------- d-----w- c:\program files\Creative
2010-07-18 23:23 . 2009-05-23 21:20 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-07-18 23:23 . 2009-05-23 21:20 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-07-18 23:23 . 2009-05-23 21:20 -------- d-----w- c:\documents and settings\Jonny\Application Data\Creative
2010-07-16 17:15 . 2010-07-16 17:10 -------- d-----w- c:\program files\FE Engine Demo
2010-07-15 21:49 . 2010-07-14 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\4D
2010-07-15 21:48 . 2010-07-15 21:47 -------- d-----w- c:\program files\CurrencyXchanger3
2010-07-15 21:45 . 2010-07-15 21:45 -------- d-----w- c:\program files\CurrencyXchanger2
2010-07-14 19:18 . 2009-10-07 22:19 -------- d-----w- c:\program files\Smans
2010-07-14 19:08 . 2010-07-14 19:08 -------- d-----w- c:\documents and settings\Jonny\Application Data\4D
2010-07-14 19:04 . 2010-07-14 19:04 -------- d-----w- c:\program files\4D_Programs
2010-07-14 14:57 . 2009-11-10 22:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-14 14:31 . 2009-05-23 13:10 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 09:32 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]
"Creative Software Update"="c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe" [2009-01-15 430968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-18 203296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-17 2048352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1654784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"CTHelper"="CTHELPER.EXE" [2010-03-18 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F5D8053v3011\Belkinwcui.exe [2008-4-7 1736704]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2009-5-23 1261568]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 10:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Epos Link Server UI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Epos Link Server UI.lnk
backup=c:\windows\pss\Epos Link Server UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonny^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\Jonny\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonny^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Jonny\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonny^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jonny\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonny^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Jonny\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExpressAccounts]
2009-12-27 15:28 1548292 ----a-w- c:\program files\NCH Software\ExpressAccounts\expressaccounts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExpressInvoice]
2009-12-27 15:27 2510852 ----a-w- c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui]
2009-08-05 22:48 647520 ----a-w- c:\program files\Windows Live\Family Safety\fsui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-29 21:43 133104 ----atw- c:\documents and settings\Jonny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icsxqrmf]
2010-08-27 13:15 265216 ----a-w- c:\windows\ejpoqkcshdw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-04-30 23:31 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 12:20 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-16 15:12 1238352 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Umifeturetozun]
2008-04-14 00:12 73728 ----a-w- c:\windows\idear2.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PageBreeze\\pagebreeze.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Solstar Games\\Realm Crafter 2\\Projects\\New Project\\Server.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaW.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaWmp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Solstar Games\\Realm Crafter 2\\Projects\\Pro Project\\Server.exe"=
"c:\\Program Files\\Solstar Games\\Realm Crafter 2\\Projects\\New Project (2)\\Server.exe"=
"c:\\WQS\\main.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\UDK\\UDK-2009-12\\Binaries\\Win32\\UDK.exe"=
"c:\\Program Files\\Solstar Games\\Realm Crafter 2\\Projects\\New Project (3)\\Server.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Python25\\pythonw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\4D_Programs\\4D Server\\4DServer.exe"=
"c:\\Program Files\\FE Engine Demo\\game\\fantasydemo_indie.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"1041:TCP"= 1041:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/05/2009 11:58 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/05/2009 11:58 108552]
R2 ADAM_instance1;instance1;c:\windows\ADAM\dsamain.exe -sn:instance1 --> c:\windows\ADAM\dsamain.exe -sn:instance1 [?]
R2 ADAM_instance2;instance2;c:\windows\ADAM\dsamain.exe -sn:instance2 --> c:\windows\ADAM\dsamain.exe -sn:instance2 [?]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 13:00 14336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [24/05/2009 11:58 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [24/05/2009 11:58 297752]
R2 CyBlock;CyBlock;c:\program files\Wavecrest\CyBlock\wc\service\wrapper.exe [16/10/2009 22:39 229376]
R2 EPOSLinkService;Actinic EPOS Link Service;c:\checkout\ECLink\EPOSLI~1.EXE [08/11/2009 01:22 234792]
R2 ExpressAccountsService;Express Accounts;c:\program files\NCH Software\ExpressAccounts\expressaccounts.exe [27/12/2009 16:28 1548292]
R2 ExpressInvoiceService;Express Invoice;c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [27/12/2009 16:27 2510852]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [12/03/2009 17:36 86016]
R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [29/08/2009 19:27 53307]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
S2 MSSQL$ASI;MSSQL$ASI;c:\program files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlservr.exe -sASI --> c:\program files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlservr.exe -sASI [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [19/07/2010 00:23 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [24/10/2009 00:32 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [24/10/2009 00:32 3072]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [23/05/2009 14:58 272128]
S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [01/05/2007 15:39 132232]
S3 SaiIFFB5;Immersion's HID USB Driver (FFB5);c:\windows\system32\drivers\SaiIFFB5.sys [01/05/2007 15:39 16256]
S3 SQLAgent$ASI;SQLAgent$ASI;c:\program files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlagent.EXE -i ASI --> c:\program files\Microsoft SQL Server\MSSQL$ASI\Binn\sqlagent.EXE -i ASI [?]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/10/2009 21:18 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-08-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-JPT100-Jonny.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-12 02:44]

2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-05-22 c:\windows\Tasks\expressaccountsDowngrade.job
- c:\program files\NCH Software\ExpressAccounts\expressaccounts.exe [2009-12-27 15:28]

2009-12-27 c:\windows\Tasks\expressaccountsSevenDaysInit.job
- c:\program files\NCH Software\ExpressAccounts\expressaccounts.exe [2009-12-27 15:28]

2010-05-22 c:\windows\Tasks\expressaccountsShakeIcon.job
- c:\program files\NCH Software\ExpressAccounts\expressaccounts.exe [2009-12-27 15:28]

2009-12-27 c:\windows\Tasks\expressinvoiceSevenDaysInit.job
- c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [2009-12-27 15:27]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1844823847-725345543-1003Core.job
- c:\documents and settings\Jonny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-29 21:43]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1844823847-725345543-1003UA.job
- c:\documents and settings\Jonny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-29 21:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {FE2F509E-A4C8-4977-990D-EF77DE4E391E} = 10.4.24.1
FF - ProfilePath - c:\documents and settings\Jonny\Application Data\Mozilla\Firefox\Profiles\tluyzww0.default\
FF - plugin: c:\documents and settings\Jonny\Application Data\Mozilla\Firefox\Profiles\tluyzww0.default\extensions\webplayer@bigworldtech.com\plugins\npbwplayer.dll
FF - plugin: c:\documents and settings\Jonny\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-csamnxwero - c:\docume~1\Jonny\LOCALS~1\Temp\csamnxwero.tmp
MSConfigStartUp-newsecureapp70700 - c:\documents and settings\Jonny\Application Data\9C004B492AF9A1EF0A6563BF3F1389D7\newsecureapp70700.exe
AddRemove-{d08d9f98-1c78-4704-87e6-368b0023d831} - c:\program files\RelevantKnowledge\rlvknlg.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 21:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ADAM_instance1]
"ImagePath"="c:\windows\ADAM\dsamain.exe -sn:instance1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ADAM_instance2]
"ImagePath"="c:\windows\ADAM\dsamain.exe -sn:instance2"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 7.0\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 7.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-1844823847-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BDB0D8F5-7874-E346-B812-AD5FAA7C0F64}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haokoijdaokecahl"=hex:66,61,6f,6b,6d,69,6d,66,68,66,70,67,00,14
"haokoijdgiafhjdd"=hex:64,62,62,6c,62,61,69,67,62,6e,69,65,69,6f,6f,62,67,64,
64,6c,66,6b,61,6a,69,67,66,6d,6b,69,69,63,68,70,6e,6b,68,63,67,70,00,a4
"iaokoijdgppjegnpnb"=hex:63,61,70,69,6d,61,00,67
"namhhnpjddgccpcnbhfgebepgand"=hex:6a,61,70,69,6d,61,64,68,61,68,70,6e,6a,70,
62,6f,66,65,6b,67,00,f8
"magjffhnaaikhdnbljcldolfbb"=hex:6a,61,70,69,6d,61,64,68,61,68,70,6e,6a,70,62,
6f,66,65,6b,67,00,00
"iaalhimnbdkbhoihha"=hex:62,61,63,6a,00,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ctagent.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\xpsp3res.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wavecrest\CyBlock\wc\jre\bin\cyblock.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Windows Live\Family Safety\fsssvc.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MySQL\MySQL Server 7.0\bin\mysqld.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
c:\windows\ADAM\dsamain.exe
c:\windows\ADAM\dsamain.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hotspot Shield\bin\openvpntray.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
c:\windows\system32\CTHELPER.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-09-11 22:01:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-11 21:01

Pre-Run: 336,116,260,864 bytes free
Post-Run: 340,277,702,656 bytes free

- - End Of File - - 728917DD122E99547CD920C34302F934

Edited by realmfighter, 11 September 2010 - 04:11 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:58 AM

Posted 16 September 2010 - 06:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:58 AM

Posted 21 September 2010 - 06:16 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users