Jump to content

Lindsey

Members
 View Profile  See their activity

  • Posts

    2

  • Joined

  • Last visited

Reputation

0 Neutral
  1. Lindsey
    ComboFix 09-12-30.01 - Paul 12/31/2009 1:38.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.325 [GMT -6:00] Running from: c:\documents and settings\Paul\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\desktop.ini C:\LOG.TXT c:\windows\93bfe3ca-1bf1-4ae8-b812-1f3bc95e7619.ocx c:\windows\AUTOLNCH.REG c:\windows\system32\2a700b3e-848e-485e-b458-90433d601fe5.dll c:\windows\system32\comrepl.exe c:\windows\system32\drivers\H8SRTlrgshappkr.sys c:\windows\system32\drivers\npf.sys c:\windows\system32\H8SRTdoexylkmdd.dll c:\windows\system32\H8SRTgyrnntvfnd.dll c:\windows\system32\H8SRTrvjahmnqoe.dat c:\windows\system32\krl32mainweq.dll c:\windows\system32\launcher.exe c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\srcr.dat c:\windows\system32\wpcap.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_H8SRTd.sys -------\Legacy_H8SRTd.sys -------\Legacy_NPF -------\Legacy_OREANS32 -------\Service_NPF -------\Service_oreans32 ((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 ))))))))))))))))))))))))))))))) . 2009-12-29 06:27 . 2009-12-29 06:27 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes 2009-12-27 18:29 . 2009-12-29 07:19 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\irdjmm 2009-12-26 05:04 . 2009-12-26 23:46 -------- d-----w- c:\documents and settings\Paul\Application Data\vlc 2009-12-26 05:03 . 2009-12-26 05:03 -------- d-----w- c:\documents and settings\Paul\Application Data\dvdcss 2009-12-25 15:12 . 2009-12-25 15:12 -------- dc----w- C:\WTablet 2009-12-24 04:15 . 2009-12-24 04:15 293376 ----a-w- C:\74uqss4j.exe 2009-12-24 01:44 . 2009-12-24 01:44 -------- d-----w- c:\documents and settings\Paul\Application Data\TextPad 2009-12-23 01:26 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-23 01:25 . 2009-12-23 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-12-23 01:25 . 2009-12-29 06:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-23 01:25 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-21 08:15 . 2009-12-21 08:15 -------- d-----w- c:\windows\system32\electricsheep-cache 2009-12-21 05:06 . 2009-12-31 00:18 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-12-21 03:46 . 2009-12-21 03:46 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Adobe 2009-12-21 03:09 . 2009-12-21 03:09 -------- d-----w- c:\program files\uTorrent 2009-12-21 03:09 . 2009-12-24 01:22 -------- d-----w- c:\documents and settings\Paul\Application Data\uTorrent 2009-12-21 02:48 . 2009-12-21 02:48 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Mozilla 2009-12-21 02:39 . 2009-12-21 02:39 76248 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-21 02:39 . 2009-12-21 02:40 -------- d-----w- c:\documents and settings\Paul\Application Data\Apple Computer 2009-12-21 02:37 . 2009-12-21 02:40 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Apple Computer 2009-12-21 02:35 . 2009-12-21 02:35 -------- d-----w- c:\documents and settings\Paul\Application Data\WTablet 2009-12-21 02:02 . 2009-12-21 02:02 -------- d-----w- c:\program files\iPod 2009-12-21 02:02 . 2009-12-21 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-12-21 02:01 . 2009-12-21 02:01 -------- d-----w- c:\program files\Bonjour 2009-12-21 01:59 . 2009-12-21 02:00 -------- d-----w- c:\program files\QuickTime 2009-12-21 01:57 . 2009-12-21 01:57 -------- d-----w- c:\documents and settings\Lindsey Cheek\Local Settings\Application Data\Apple 2009-12-21 01:56 . 2009-12-21 02:04 -------- dc----w- c:\windows\system32\DRVSTORE 2009-12-21 01:53 . 2009-12-21 02:02 -------- d-----w- c:\program files\Common Files\Apple 2009-12-21 01:53 . 2009-12-21 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-29 06:14 . 2008-01-13 23:07 -------- d-----w- c:\documents and settings\Lindsey Cheek\Application Data\DNA 2009-12-29 06:08 . 2007-07-04 01:47 -------- d-----w- c:\documents and settings\Lindsey Cheek\Application Data\WTablet 2009-12-29 06:07 . 2008-01-13 23:07 -------- d-----w- c:\program files\DNA 2009-12-21 02:06 . 2004-10-01 00:21 -------- d-----w- c:\documents and settings\Lindsey Cheek\Application Data\Apple Computer 2009-12-21 02:04 . 2004-11-16 17:40 -------- d-----w- c:\program files\iTunes 2009-12-21 01:57 . 2007-01-08 06:32 -------- d-----w- c:\program files\Apple Software Update 2009-12-21 01:36 . 2009-12-21 01:33 1924744 ----a-w- c:\documents and settings\Lindsey Cheek\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe 2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-01-23 13:30 . 2005-12-11 20:56 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll 2009-01-23 13:30 . 2005-12-11 20:56 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2009-01-23 13:30 . 2007-06-12 00:33 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll 2009-01-23 13:30 . 2007-06-12 00:33 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll 2009-01-23 13:30 . 2005-12-11 20:56 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll 2005-02-13 21:43 . 2005-02-13 21:43 12208 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys 2007-01-17 23:44 . 2005-03-11 03:10 1265 --sha-w- c:\windows\SYSTEM32\mmf.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Lindsey Cheek^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Lindsey Cheek\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Lindsey Cheek^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe] path=c:\documents and settings\Lindsey Cheek\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] 2003-08-29 10:59 122880 -c--a-w- c:\windows\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 07:56 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp] 2003-03-07 17:36 209800 ----a-w- c:\program files\Dell\AccessDirect\DadApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940] 2003-06-25 15:29 294998 ------w- c:\program files\Dell AIO Printer A940\dlbabmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] 2003-12-18 18:17 487424 ----a-w- c:\program files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry] 2003-08-13 15:27 28672 -c--a-w- c:\windows\SYSTEM32\DSentry.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ] 2005-11-15 18:12 473928 ----a-w- c:\program files\Microsoft AntiSpyware\gcasServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] 2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2005-09-20 14:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd] 2005-09-20 14:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2005-09-20 14:36 114688 ----a-w- c:\windows\SYSTEM32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2005-09-20 14:35 94208 ----a-w- c:\windows\SYSTEM32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2004-06-16 12:03 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2004-06-16 12:03 81920 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert] 2004-08-04 07:56 177152 ----a-w- c:\windows\SYSTEM32\mqrt.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard] 2003-02-13 06:01 155648 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2005-11-10 19:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2003-08-15 17:37 618496 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] 2003-08-15 17:38 110592 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 22:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent] 2009-12-21 03:09 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] 2005-03-29 01:24 28616 ----a-w- c:\program files\WildTangent\Apps\CDA\GameDrvr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "seclogon"=2 (0x2) "FastUserSwitchingCompatibility"=3 (0x3) "Wmaacdvrdita"=3 (0x3) "TabletService"=2 (0x2) "SPTISRV"=3 (0x3) "rpcapd"=3 (0x3) "MDM"=2 (0x2) "Macromedia Licensing Service"=3 (0x3) "LxrJD31s"=2 (0x2) "LicCtrlService"=2 (0x2) "LexBceS"=2 (0x2) "IDriverT"=3 (0x3) "Creative Service for CDROM Access"=2 (0x2) "Adobe LM Service"=3 (0x3) "wuauserv"=2 (0x2) "wscsvc"=2 (0x2) "MSIServer"=3 (0x3) "Ahbotntwmne"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\myTunes Redux\\mDNSResponder.exe"= "c:\\WINDOWS\\SYSTEM32\\mqsvc.exe"= "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"= "c:\\Program Files\\myTunes Redux\\myTunesRedux.exe"= "c:\\Program Files\\Microsoft AntiSpyware\\GIANTAntiSpywareMain.exe"= "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\SYSTEM32\\java.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Soulseek-Test\\slsk.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3689:TCP"= 3689:TCP:Port "3689:UDP"= 3689:UDP:iTunes R2 TabletServiceWacom;TabletServiceWacom;c:\windows\SYSTEM32\Wacom_Tablet.exe [11/8/2007 10:30 AM 1373480] S3 XDva007;XDva007;\??\c:\windows\system32\XDva007.sys --> c:\windows\system32\XDva007.sys [?] S4 Ahbotntwmne;Ahbotntwmne; [x] S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [3/10/2005 9:10 PM 2560] . Contents of the 'Scheduled Tasks' folder 2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] 2009-12-31 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-04-23 23:38] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dell.com mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.webexternal.cn/ac.php?aid=216&sid=new uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - hxxp://mediaplayer.walmart.com/installer/install.cab FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\tiqefj2c.default\ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . - - - - ORPHANS REMOVED - - - - BHO-{691104FA-A407-8518-1596-08CF78D2776E} - c:\windows\UPD\riuujhdxrd.dll MSConfigStartUp-AIM - c:\program files\AIM\aim.exe MSConfigStartUp-ares - c:\program files\Ares Lite Edition\Ares.exe MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe MSConfigStartUp-filecroc - c:\program files\FileCroc\FileCroc.exe MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe MSConfigStartUp-PlayNC Launcher - c:\program files\NCSoft\Launcher\NCLauncher.exe MSConfigStartUp-richtx64 - c:\docume~1\Paul\LOCALS~1\Temp\richtx64.exe MSConfigStartUp-VetTray - c:\progra~1\CA\ETRUST~1\ETRUST~1\VetTray.exe MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\ypager.exe MSConfigStartUp-Zone Labs Client - c:\progra~1\CA\ETRUST~1\ETRUST~2\ca.exe AddRemove-Quartz Studio Free - c:\program files\DigitalSoundPlanet\Quartz Studio Free 370E\DeIsL1.isu ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-31 01:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8] "1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df "2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae, 65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96 "3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90, 71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\ [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\A4C6DC1D7052183A161573F7BA846387] "1"=hex:1a,dd,98,10,b1,7c,5d,e1 "2"=hex:c5,ff,57,75,f6,0a,be,c2 "3"=hex:80,09,17,2e,c7,b3,e6,40,9d,6c,ee,7c,04,90,bf,63,a7,4b,81,02,85,ff,4a, 51,6c,ac,9d,94,32,97,50,57,f3,12,53,ac,a6,ae,de,d1,dc,d3,f6,14,f0,98,56,83,\ "4"=hex:2f,ad,a2,e7,8a,bf,05,5e "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55, 1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\ "6"=hex:f4,52,2f,39,db,c7,6f,ab,5c,4e,5c,fd,c4,ff,5b,14,ef,f8,06,38,57,28,5a, ea,ca,c2,ce,fa,6b,78,83,79,c5,52,a8,bc,d5,4e,fd,04,14,78,66,60,36,6b,18,5c,\ "7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c, 4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\ "8"=hex:5d,56,03,e5,33,b3,79,9e,4c,e0,61,6e,a5,60,95,f1,1d,da,60,89,a3,a0,95, f9 "9"=hex:81,20,8f,ab,28,6a,52,9c "18"=hex:d0,71,12,cb,08,b7,a7,d6 "10"=hex:d3,13,f2,04,94,f4,8b,36 "11"=hex:81,20,8f,ab,28,6a,52,9c "12"=hex:84,f4,7c,0c,d2,97,53,72,97,eb,e9,5e,83,d7,43,73,de,1c,d6,fa,d0,38,e2, d1,38,65,a3,e8,40,a0,28,bc,33,ee,ec,7c,e3,b2,36,69,60,19,5b,3e,2c,ca,0a,87,\ "13"=hex:e6,f1,4d,d6,b8,c6,b4,0e,1b,5b,4f,dc,d7,56,50,d1,a2,a4,23,e1,1f,5c,e0, 6c "14"=hex:0d,a3,f0,13,5a,b2,4b,be,11,13,f0,3c,be,44,35,ac "24"=hex:81,20,8f,ab,28,6a,52,9c "26"=hex:81,20,8f,ab,28,6a,52,9c "27"=hex:81,20,8f,ab,28,6a,52,9c "19"=hex:8e,4b,42,3d,8a,b3,f0,52,3c,2b,52,e9,2d,85,93,54 "22"=hex:81,20,8f,ab,28,6a,52,9c "15"=hex:a4,d1,4f,09,7e,c4,98,2e,94,3d,61,2b,95,df,19,a6,d1,3e,1c,96,0d,74,44, c3,b2,08,21,f4,c1,e9,67,4a,19,ca,2d,ff,e7,4d,d6,62,03,09,ba,bb,ec,35,25,73,\ . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\msdtc.exe c:\windows\System32\snmp.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\WTablet\Wacom_TabletUser.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\mqsvc.exe c:\windows\system32\mqtgsvc.exe c:\windows\system32\wscntfy.exe c:\windows\System32\ELECTR~1.SCR . ************************************************************************** . Completion time: 2009-12-31 02:02:15 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-31 08:02 Pre-Run: 12,634,824,704 bytes free Post-Run: 13,237,284,864 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut - - End Of File - - 42F6280BF98D5ADAAB3EFA95AFB1125D So - yesterday (before I saw this post) I actually got mbam to run, and it said it got rid of 10 infections, yada yada. It seemed like it was fine, then popped up with some more Antivirus Security something or other sometime this afternoon. Now that I've done all this ComboFix stuff, is this the end? Finally?
  2. Lindsey
    I know I'm not the original poster, but this described my problem perfectly so I ran through the steps hoping you could help me as well. Here's the log from the GMER program: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2009-12-24 04:09:33 Windows 5.1.2600 Service Pack 2 Running: 74uqss4j.exe; Driver: C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\kwloapob.sys ---- System - GMER 1.0.15 ---- Code 82B2CE18 ZwEnumerateKey Code 82CE5898 ZwFlushInstructionCache Code 82DC65B6 IofCallDriver Code 82C64E06 IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82DC65BB .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 82C64E0B PAGE ntoskrnl.exe!ZwEnumerateKey 8056EE68 5 Bytes JMP 82B2CE1C PAGE ntoskrnl.exe!ZwFlushInstructionCache 8057797A 5 Bytes JMP 82CE589C .text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xF86D72A0, 0x7B40, 0xE8000020] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \FileSystem\Fastfat \Fat EEDCBC8A ---- Modules - GMER 1.0.15 ---- Module \systemroot\system32\drivers\H8SRTlrgshappkr.sys (*** hidden *** ) EFD0A000-EFD27000 (118784 bytes) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\H8SRTgyrnntvfnd.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [260] 0x10000000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\H8SRTlrgshappkr.sys (*** hidden *** ) [sYSTEM] H8SRTd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTlrgshappkr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTlrgshappkr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTdoexylkmdd.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTrvjahmnqoe.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTgyrnntvfnd.dll Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTlrgshappkr.sys Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTlrgshappkr.sys Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTdoexylkmdd.dll Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTrvjahmnqoe.dat Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTgyrnntvfnd.dll ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Lindsey Cheek\Local Settings\Temporary Internet Files\Content.IE5\Q1WDYN6N\httpErrorPagesScripts[1] 0 bytes File C:\Documents and Settings\Lindsey Cheek\Local Settings\Temporary Internet Files\Content.IE5\UZQZIXQ3\errorPageStrings[1] 0 bytes File C:\Documents and Settings\Lindsey Cheek\Local Settings\Temporary Internet Files\Content.IE5\UZQZIXQ3\favcenter[1] 0 bytes File C:\Documents and Settings\Paul\Local Settings\Temp\H8SRT18b7.tmp 343040 bytes executable File C:\WINDOWS\SYSTEM32\DRIVERS\H8SRTlrgshappkr.sys 40960 bytes executable <-- ROOTKIT !!! File C:\WINDOWS\SYSTEM32\H8SRTdoexylkmdd.dll 23040 bytes executable File C:\WINDOWS\SYSTEM32\H8SRTgyrnntvfnd.dll 36864 bytes executable File C:\WINDOWS\SYSTEM32\H8SRTrvjahmnqoe.dat 202 bytes ---- EOF - GMER 1.0.15 ---- Here's the log from DDS.txt: DDS (Ver_09-12-01.01) - NTFSx86 Run by Lindsey Cheek at 11:23:31.04 on Thu 12/24/2009 Internet Explorer: 7.0.5730.11 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.146 [GMT -6:00] AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\Lindsey Cheek\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://utdallas.facebook.com/home.php uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: {691104fa-a407-8518-1596-08cf78d2776e} - c:\windows\upd\riuujhdxrd.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll TB: {5AA06644-BC46-4220-A460-47A6EB47C96D} - No File EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [WinMem] c:\program files\wincleaner memory optimizer\WinMemOpt.exe uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe" uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} - hxxp://xiah.gamescampus.com/luncher/GamesCampus.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - hxxp://mediaplayer.walmart.com/installer/install.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://www.restoran.ru/clicks.phtml?id=490 Notify: igfxcui - igfxdev.dll SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\lindse~1\applic~1\mozilla\firefox\profiles\0pbu2eil.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ ============= SERVICES / DRIVERS =============== R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2006-5-26 33920] S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2007-11-8 1373480] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336] S3 XDva007;XDva007;\??\c:\windows\system32\xdva007.sys --> c:\windows\system32\XDva007.sys [?] S4 Ahbotntwmne;Ahbotntwmne; [x] S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2005-3-10 2560] =============== Created Last 30 ================ 2009-12-24 04:15:17 293376 ----a-w- C:\74uqss4j.exe 2009-12-24 01:22:16 0 d-----w- c:\program files\Malware Defense 2009-12-23 01:26:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-23 01:25:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-12-23 01:25:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-23 01:25:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-23 00:25:28 656 ----a-w- c:\windows\system32\krl32mainweq.dll 2009-12-23 00:24:24 206 ----a-w- c:\windows\system32\srcr.dat 2009-12-21 08:15:01 0 d-----w- c:\windows\system32\electricsheep-cache 2009-12-21 05:06:51 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-12-21 03:09:16 0 d-----w- c:\program files\uTorrent 2009-12-21 02:14:53 4426596 -c--a-w- C:\ituneslib.itl 2009-12-21 02:02:41 0 d-----w- c:\program files\iPod 2009-12-21 02:02:22 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-12-21 02:01:00 0 d-----w- c:\program files\Bonjour ==================== Find3M ==================== 2005-02-13 21:43:27 12208 -csha-w- c:\windows\system32\KGyGaAvL.sys 2007-01-17 23:44:41 1265 --sha-w- c:\windows\system32\mmf.sys ============= FINISH: 11:24:16.63 =============== I also zipped and attached the Attach.txt file from the DDS program. I can't run Spybot, MBAM, or any other program used to remove spyware/malware. It constantly reopens iexplore.exe in the processes tree. Any ideas? Thanks in advance. Attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.