Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need A Pro's Opinion..again...


  • Please log in to reply
5 replies to this topic

#1 Kevin Doyle

Kevin Doyle

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 24 April 2007 - 05:26 PM

Hey guys, im back agian after you were such a mssive help last time. I've been had again by the dark side and need advice on what to do. I downloaded a torrent yesterday which contained an .exe file. I wasn;t too know it has been altered by someone else and bundled with a trojan, and I scan;d the file with AVG before opening and it found nothing. I tried to run it and it did not start leaving me to think something was odd, sure enough that was it and it infected my computer. I have since deleted the file and run AVG, kaspersy and spybot scans.

The AVG found nothing AGAIN and the spybot found the usual harmless but annoying junk. The kaspersy found 6 infected files all of which I deleted using the programme, quite shocked that AVG let this one slip as they are usually pretty good. I should of taken the names of the files down but it read something along the lines of trojan32.bcw I should of made a note of it, but at the time I jsut wanted rid of it, so that was a bad move in hindsight.
Tonight my computer has error'd out about 5 times causing the blue screen to pop up and forcing a restart.

I have noticed that in my startup there was something I have never seen before and it reads...

dumprep 0 -k %systemroot%\system32\deumprep 0 -k

I have done a hijack analysis and its as follows

Logfile of HijackThis v1.99.1
Scan saved at 23:08:52, on 24/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\Safedisk\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange31.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange31.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158935099250
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:33 PM

Posted 30 April 2007 - 09:20 PM

Sorry for the delay

Welcome to BC :thumbsup:

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by sjpritch25, 30 April 2007 - 09:21 PM.

Microsoft MVP Consumer Security--2007-2010

#3 Kevin Doyle

Kevin Doyle
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 07 May 2007 - 11:02 AM

Thanks, also sorry for the delay, id given up,lol.


"Owner" - 2007-05-07 16:52:39 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Owner\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\install.log


((((((((((((((((((((((((((((((( Files Created from 2007-04-07 to 2007-05-07 ))))))))))))))))))))))))))))))))))


2007-05-05 16:41 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Real
2007-05-04 10:21 <DIR> d-------- C:\DOCUME~1\Dad\Contacts
2007-05-04 09:38 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Google
2007-05-02 13:49 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\ATI
2007-05-01 19:30 1,310,720 --ah----- C:\DOCUME~1\Dad\NTUSER.DAT
2007-04-24 20:25 9,760 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-04-24 20:25 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-04-24 20:25 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-04-24 20:25 729,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-24 20:25 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-04-24 20:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-04-24 06:16 <DIR> d-------- C:\WINDOWS\31EE24C0A8804B61A401982B52CA53BF.TMP
2007-04-24 06:16 <DIR> d-------- C:\Program Files\Vba32
2007-04-24 06:13 <DIR> d-------- C:\kav
2007-04-24 03:36 <DIR> d--hs---- C:\WINDOWS\system32\Sys32
2007-04-21 16:06 <DIR> dr-h----- C:\DOCUME~1\Owner\APPLIC~1\SecuROM
2007-04-21 16:06 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-04-20 18:19 <DIR> d-------- C:\ProgramData
2007-04-14 00:20 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-04-07 23:00 <DIR> d-------- C:\Program Files\World of Warcraft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-07 15:31:05 1,417 --sha-w C:\WINDOWS\system32\mmf.sys
2007-05-05 22:28:27 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\Xfire
2007-05-05 20:38:11 -------- d-s---w C:\Program Files\Xfire
2007-05-05 10:49:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\Command & Conquer 3 Tiberium Wars
2007-05-01 18:03:28 81,920 ----a-w C:\WINDOWS\system32\W32N50.dll
2007-05-01 18:03:28 17,134 ----a-w C:\WINDOWS\system32\PCANDIS5.sys
2007-04-24 23:42:50 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-04-24 02:38:42 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\uTorrent
2007-04-21 15:06:28 -------- d--h--r C:\DOCUME~1\Owner\APPLIC~1.\SecuROM
2007-04-21 14:28:47 -------- d-----w C:\Program Files\Electronic Arts
2007-04-20 17:19:44 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-08 14:12:46 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-04-02 21:40:10 -------- d-----w C:\Program Files\HLSW
2007-04-01 22:49:47 -------- d-----w C:\Program Files\a-squared Anti-Malware
2007-03-23 05:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 21:34:44 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\Command & Conquer 3 Tiberium Wars Demo
2007-03-22 19:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 18:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-04 18:21:24 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{4A368E80-174F-4872-96B5-0B27DDD11DB2}"="C:\Program Files\SpywareGuard\dlprotect.dll"
"{4E7BD74F-2B8D-469E-A1FB-F862B587B57D}"="C:\PROGRA~1\orange3\orange31.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll"
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe gamma loader.lnk
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^raconfig2500usb.lnk
C:\PROGRA~1\RALINK\RT2500~1\INSTAL~1\WINXP\RACONF~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^owner^start menu^programs^startup^limewire on startup.lnk
C:\PROGRA~1\LimeWire\LimeWire.exe -startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^owner^start menu^programs^startup^spywareguard.lnk
C:\PROGRA~1\SPYWAR~1\sgmain.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared
"C:\Program Files\a-squared Anti-Malware\a2guard.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aticcc
"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoejcd_0ace2031
C:\Program Files\AutoInstall\ZD1211_Auto_Install_CD_Only_Gen_0ACE2031\AutoEJCD.EXE /VID=0ACE /PID=2031

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avg7_cc
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\creative detector
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\daemon tools
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diskeepersystray
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck
%systemroot%\system32\dumprep 0 -k

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lies readme

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\logitechcommunicationsmanager
"C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\logitechquickcamribbon
"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\logitechsoftwareupdate

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\logitechvideorepair

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\logitechvideotray

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lvcomsx
"C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\myspaceim
C:\Program Files\MySpace\IM\MySpaceIM.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p17helper
Rundll32 P17.dll,P17Helper

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pwrisovm.exe
C:\Program Files\PowerISO\PWRISOVM.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\registrymechanic


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sitecom wl-117 wlan_utility
"C:\Program Files\Sitecom Europe BV\Sitecom WL-117 Utility\SitecomUSB.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\speedtouch usb diagnostics
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\steam
C:\Valve\Steam\Steam.exe -silent

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\team gram drive peak

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent
C:\Program Files\Winamp\winampa.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\window washer
C:\Program Files\Webroot\Washer\wwDisp.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yahoo! pager
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zonealarm client
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14ff0ee0-4f1c-11db-9d20-000244aebf2e}]
Shell\AutoRun\command G:\Setup.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-07 16:55:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-07 16:55:19
C:\ComboFix-quarantined-files.txt ... 2007-05-07 16:55

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:33 PM

Posted 07 May 2007 - 12:43 PM

Are these your flash drives
D:\
G:\

Thanks.
Microsoft MVP Consumer Security--2007-2010

#5 Kevin Doyle

Kevin Doyle
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 07 May 2007 - 01:02 PM

D is my cd drive
G:/ is flash

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:33 PM

Posted 07 May 2007 - 07:41 PM

Be sure you have your Flash drive plugged in.



Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Batch file, get autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the get autoruns.bat to run the fix.
  • The fix will make a report and if any autoruns are found, move them to a backup folder.
  • If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoints key are fixed.
  • A document, Part 1.txt, will be created. It will show the pre-cleaning state.
  • Run get autoruns.bat again immediately.
  • It will produce a file named Part2.txt and this one will show the state after the cleaning.
  • Please post the contents of Part1.txt and then autos.txt along with a fresh Hjackthis log.
** It is important that you follow these directions exactly. Don't skip the second run or the reporting sequence, as we will become confused.

Attached Files


Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users