Jump to content

vjmure

Members
 View Profile  See their activity

  • Posts

    19

  • Joined

  • Last visited

Reputation

0 Neutral
  1. vjmure
    Final question; the defogger did not ask me to reboot (it didn't when i disabled either). Should i reboot? Any concerns there?
  2. vjmure
    Thank you very much! A couple questions; did i have a TDL3 rootkit? My understanding is it usually attaches to atapi.sys or print spool; i don't recall touching those (or did the combo fix go after that). Also, one of the combo fix script commands had what looked like files related to CA Antivirus; should i be concerned there? Again, thanks a ton. I'd like to make a donation, but i don't have paypal; any other methods? Thanks V
  3. vjmure
    ESET Log.... ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # IEXPLORE.EXE=7.00.6000.17023 (vista_gdr.100222-0012) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=9ca1ae75e3c8bd47b978bc711879a4f6 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-05-15 04:33:32 # local_time=2010-05-15 12:33:32 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=4866 16775141 100 100 0 76229105 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=135028 # found=0 # cleaned=0 # scan_time=10853
  4. vjmure
    Other than the ip thing; they seem OK..... But i'm not doing much. Should i try other things? Does it look clean? Are we actually good?
  5. vjmure
    Something odd that i noticed; maybe nothing..... I launched IE, my home page is now "bing" (instead of the google). IE hung a moment and i saw at the bottome; waiting for connection 96.6.44.50. Did a search for that IP address and found nothing. Did a tracert from CMD, after a few bounces it landed on: akamaitechnologies.com..... Not sure why ie would try to connect to it; seems like a legit company. Maybe there is some sort of subdomain of the bing .com page... Not sure; just figured i'd point that out.
  6. vjmure
    Thanks again. I ran combo fix. I did disable the Spyware Doctor for 30 min, but it wasn't enough time (my bad). It came up during the combo fix run. There were a couple popup errors, but it seemed to continue and run its course. Hopefully not a problem (?). Errors Were: - Pev.exe application error, Instruction at "0x0050005c" referenced memory at "0x0050005c" which could not be read. - C:\Combo-fix\catchme.cfxxe is not a valid win32 application - After reboot, ATTRIB {something} ; this one went away while i was trying to write it down. But it did finish..... ComboFix 10-05-14.06 - vjmure 05/15/2010 6:44.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.441 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\vjmure\Desktop\CFScript.txt AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 ))))))))))))))))))))))))))))))) . 2010-05-14 10:53 . 2010-05-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-14 21:40 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-15 11:02 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-15 11:04 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-15 10:44 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-05-15 10:44 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-05-15 10:44 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2009-11-28 271600] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-11-11 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-15 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-15 07:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1628) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1832) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(3948) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft LifeCam\MSCamS32.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe c:\windows\system32\RUNDLL32.EXE c:\program files\CA\CA Internet Security Suite\ccprovsp.exe . ************************************************************************** . Completion time: 2010-05-15 07:10:30 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-15 11:10 ComboFix2.txt 2010-05-14 21:35 ComboFix3.txt 2010-05-13 10:25 ComboFix4.txt 2010-05-08 13:39 Pre-Run: 44,429,148,160 bytes free Post-Run: 44,577,538,048 bytes free - - End Of File - - 694E78CE25B4148CE8DFC3A9A17571A2
  7. vjmure
    Thanks again! Does that mean i am clean? V
  8. vjmure
    OK, i am trying to C/P the results, but it keeps coming back with a 501 error. So i took screen shots (attached). I hope that works.....
  9. vjmure
    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.05.10 - AhnLab-V3 2010.05.15.00 2010.05.14 - AntiVir 8.2.1.242 2010.05.14 - Antiy-AVL 2.0.3.7 2010.05.14 - Authentium 5.2.0.5 2010.05.14 - Avast 4.8.1351.0 2010.05.14 - Avast5 5.0.332.0 2010.05.14 - AVG 9.0.0.787 2010.05.14 - BitDefender 7.2 2010.05.14 - CAT-QuickHeal 10.00 2010.05.14 - ClamAV 0.96.0.3-git 2010.05.14 - Comodo 4841 2010.05.14 - DrWeb 5.0.2.03300 2010.05.14 - eSafe 7.0.17.0 2010.05.13 - eTrust-Vet 35.2.7488 2010.05.14 - F-Prot 4.5.1.85 2010.05.14 - F-Secure 9.0.15370.0 2010.05.14 - Fortinet 4.1.133.0 2010.05.14 - GData 21 2010.05.14 - Ikarus T3.1.1.84.0 2010.05.14 - Jiangmin 13.0.900 2010.05.14 - Kaspersky 7.0.0.125 2010.05.14 - McAfee 5.400.0.1158 2010.05.14 - McAfee-GW-Edition 2010.1 2010.05.14 - Microsoft 1.5703 2010.05.14 - NOD32 5115 2010.05.14 - Norman 6.04.12 2010.05.14 - nProtect 2010-05-14.01 2010.05.14 - Panda 10.0.2.7 2010.05.14 - PCTools 7.0.3.5 2010.05.14 Application.NirCmd Prevx 3.0 2010.05.14 - Rising 22.47.04.03 2010.05.14 - Sophos 4.53.0 2010.05.14 - Sunbelt 6303 2010.05.14 - Symantec 20101.1.0.89 2010.05.14 - TheHacker 6.5.2.0.280 2010.05.14 - TrendMicro 9.120.0.1004 2010.05.14 - TrendMicro-HouseCall 9.120.0.1004 2010.05.14 - VBA32 3.12.12.5 2010.05.14 - ViRobot 2010.5.14.2316 2010.05.14 - VirusBuster 5.0.27.0 2010.05.14 -
  10. vjmure
    Test
  11. vjmure
    Script results below. Also, i did have PC Tools "fix" its findings as it has since found an .exe. Screenshot attached. ComboFix 10-05-14.06 - vjmure 05/14/2010 17:16:32.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.442 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\vjmure\Desktop\CFScript.txt AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} file zipped: c:\windows\system32\oledlga.dll . ((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 ))))))))))))))))))))))))))))))) . 2010-05-14 10:53 . 2010-05-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-09 02:17 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-14 21:08 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-14 21:12 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 03:04 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-29 00:33 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-04-29 00:32 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Analog Devices\SoundMAX\smax4 .exe c:\program files\Analog Devices\SoundMAX\smax4pnp .exe c:\program files\CA\CA Internet Security Suite\casc .exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid .exe c:\program files\IC\Card Reader Driver v1.9e\disk_monitor .exe c:\program files\Microsoft LifeCam\lifeexp .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [N/A] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-28 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-14 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-14 17:26 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1748) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1952) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll - - - - - - - > 'explorer.exe'(2792) c:\windows\system32\WININET.dll c:\program files\Spyware Doctor\pctgmhk.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\WS2_32.dll c:\windows\system32\WS2HELP.dll . Completion time: 2010-05-14 17:32:24 ComboFix-quarantined-files.txt 2010-05-14 21:32 ComboFix2.txt 2010-05-13 10:25 ComboFix3.txt 2010-05-08 13:39 Pre-Run: 44,604,461,056 bytes free Post-Run: 44,578,422,784 bytes free - - End Of File - - 2853959EEC6EAE0E148520CFF1F675D6 Upload was successful
  12. vjmure
    FYI.... They all seem to be registry entries....
  13. vjmure
    From http://www.virustotal.com/ "0 bytes size received / Se ha recibido un archivo vacio " Also, my "Spyware Doctor" ran on its normal schedule and found some things; screen shot it attached. I took no action (the app is still up). Thanks, V
  14. vjmure
    BTW, i did reenable the Antivirus / anti malware as well. (i ran no scans though) Thanks, V
  15. vjmure
    Thanks again. Here is the result of the combo fix: ComboFix 10-05-12.03 - vjmure 05/13/2010 6:07.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.460 [GMT -4:00] Running from: c:\documents and settings\vjmure\Desktop\Combo-Fix.exe AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\SMRTDRIV.DLL c:\windows\system32\ctfmon .exe c:\windows\system32\nwiz .exe c:\windows\system32\regsvr32 .exe c:\windows\system32\rundll32 .exe c:\windows\vvx3000 .exe . ((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 ))))))))))))))))))))))))))))))) . 2010-05-09 04:05 . 2010-05-09 04:05 -------- d-----w- c:\program files\Trend Micro 2010-05-09 02:17 . 2010-05-09 02:17 -------- d-----w- C:\RotInHell 2010-05-08 13:57 . 2010-05-10 13:04 -------- d-----w- c:\program files\ESET 2010-05-08 13:54 . 2010-05-08 13:54 -------- d-----w- c:\program files\Common Files\Java 2010-05-08 13:54 . 2010-05-08 13:54 503808 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcp71.dll 2010-05-08 13:54 . 2010-05-08 13:54 499712 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\jmc.dll 2010-05-08 13:54 . 2010-05-08 13:54 348160 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-75de4ac1-n\msvcr71.dll 2010-05-08 13:54 . 2010-05-08 13:54 61440 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-sse.dll 2010-05-08 13:54 . 2010-05-08 13:54 12800 ----a-w- c:\documents and settings\vjmure\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51c1f113-n\decora-d3d.dll 2010-05-08 13:53 . 2010-05-08 13:53 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-08 13:04 . 2008-04-14 05:27 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys 2010-05-08 13:04 . 2008-04-14 05:27 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2010-05-08 02:10 . 2010-05-08 02:10 -------- d-----w- c:\documents and settings\Test\Application Data\Malwarebytes 2010-05-06 01:18 . 2010-05-06 01:18 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Downloaded Installations 2010-04-29 01:17 . 2010-04-29 01:17 -------- d-----w- c:\documents and settings\vjmure\Local Settings\Application Data\Threat Expert 2010-04-29 00:54 . 2010-04-29 00:54 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Threat Expert 2010-04-29 00:45 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll 2010-04-29 00:45 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-04-29 00:45 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip 2010-04-29 00:45 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip 2010-04-29 00:45 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-04-29 00:45 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll 2010-04-29 00:43 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-04-29 00:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-04-29 00:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-04-29 00:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-04-29 00:42 . 2010-04-29 00:45 -------- d-----w- c:\program files\Common Files\PC Tools 2010-04-29 00:42 . 2010-05-13 03:26 -------- d-----w- c:\program files\Spyware Doctor 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\Test\Application Data\PC Tools 2010-04-29 00:42 . 2010-04-29 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2010-04-28 00:45 . 2010-04-28 00:45 -------- d-----w- c:\documents and settings\user\Application Data\Lavasoft 2010-04-27 10:49 . 2008-04-14 04:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-27 10:49 . 2008-04-14 04:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-27 10:48 . 2008-04-14 04:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 -c--a-w- c:\windows\system32\dllcache\atmarpc.sys 2010-04-27 10:46 . 2008-04-14 05:21 59904 ----a-w- c:\windows\system32\drivers\atmarpc.sys 2010-04-27 10:43 . 2010-04-27 10:43 93184 --sha-r- c:\windows\system32\oledlga.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-13 10:03 . 2007-02-14 16:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-11 10:10 . 2005-10-03 18:39 -------- d-----w- c:\program files\MSN Games 2010-05-11 10:09 . 2005-05-24 03:47 -------- d-----w- c:\program files\iWin.com 2010-05-08 13:53 . 2006-08-25 01:49 -------- d-----w- c:\program files\Java 2010-05-08 12:21 . 2009-12-25 01:42 -------- d-----w- c:\documents and settings\vjmure\Application Data\Skype 2010-05-08 12:16 . 2004-10-06 12:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-05-08 12:01 . 2009-12-25 01:44 -------- d-----w- c:\documents and settings\vjmure\Application Data\skypePM 2010-05-06 14:36 . 2009-10-03 06:24 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-06 01:53 . 2008-11-09 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 01:41 . 2009-09-16 02:10 -------- d-----w- c:\documents and settings\vjmure\Application Data\Move Networks 2010-04-29 19:39 . 2008-11-09 22:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2008-11-09 22:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 03:04 . 2009-09-09 21:08 -------- d-----w- c:\program files\QuickTime 2010-04-29 01:01 . 2005-06-26 17:27 -------- d-----w- c:\documents and settings\vjmure\Application Data\Lavasoft 2010-04-29 00:33 . 2009-12-25 01:31 -------- d-----w- c:\program files\Microsoft LifeCam 2010-04-29 00:32 . 2006-12-31 18:01 -------- d-----w- c:\program files\Windows Defender 2010-04-28 01:00 . 2007-04-12 14:17 66368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-21 15:59 . 2009-04-06 23:35 204 ----a-w- c:\windows\popcinfot.dat 2010-03-29 19:59 . 2010-03-28 14:45 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1006 2010-03-26 13:28 . 2010-03-26 13:28 -------- d-----w- c:\documents and settings\vjmure\Application Data\PopCapv1003 2010-03-11 12:38 . 2004-10-06 12:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-10-06 12:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-10-06 12:01 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-10-06 12:01 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-10-06 12:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2004-10-06 12:01 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2005-06-07 23:47 . 2005-06-07 23:47 774144 ----a-w- c:\program files\RngInterstitial.dll . <pre> c:\program files\Analog Devices\SoundMAX\smax4 .exe c:\program files\Analog Devices\SoundMAX\smax4pnp .exe c:\program files\CA\CA Internet Security Suite\casc .exe c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid .exe c:\program files\IC\Card Reader Driver v1.9e\disk_monitor .exe c:\program files\Microsoft LifeCam\lifeexp .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Defender\msascui .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CAVRID"="c:\program files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [N/A] "cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2010-04-28 374000] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-03-09 1286608] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Spyware Doctor.lnk - c:\program files\Spyware Doctor\pctsGui.exe [2010-4-28 3101648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 2009-03-27 20:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iWin Games\\iWinGames.exe"= "c:\\Program Files\\iWin Games\\WebUpdater.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/28/2010 8:42 PM 218592] R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/28/2010 8:45 PM 112592] R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [9/11/2009 7:49 PM 128240] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/28/2010 8:42 PM 366840] R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000] R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664] R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304] S2 KillTheHooker;KillTheHooker;\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys --> c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor[1].zip\TDL3 Razor\TizerBruteForceEx.sys [?] S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [7/20/2008 11:32 AM 148352] S3 memchek;memchek;\??\c:\windows\system32\memchek.sys --> c:\windows\system32\memchek.sys [?] S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [6/4/2009 12:11 PM 78104] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-05-13 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 0a000000 uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 01000000 uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = 1a000000 uInternet Connection Wizard,ShellNext = 1a000000 uInternet Connection Wizard,ShellNext = hxxp://www.google.com uInternet Connection Wizard,ShellNext = Microsoft Corporation uInternet Connection Wizard,ShellNext = MICROSO uInternet Connection Wizard,ShellNext = 6.0.2600.0000 uInternet Connection Wizard,ShellNext = no uInternet Connection Wizard,ShellNext = \0 uInternet Connection Wizard,ShellNext = about:NoAdd-ons uInternet Connection Wizard,ShellNext = about:SecurityRisk uInternet Connection Wizard,ShellNext = yes uInternet Connection Wizard,ShellNext = yes IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll Trusted Zone: aetna.com\xtranet Trusted Zone: aetna.com\xtranet6 Trusted Zone: aetna.com\xtranetx Trusted Zone: ameritrade.com\research Trusted Zone: ameritrade.com\wwws Trusted Zone: cnn.com\politicalticker.blogs Trusted Zone: cnn.com\sportsillustrated Trusted Zone: cnn.com\www Trusted Zone: equifax.com\www.econsumer Trusted Zone: facebook.com\apps Trusted Zone: facebook.com\www Trusted Zone: fannation.com\www Trusted Zone: garmin.com\www8 Trusted Zone: nawsrc.org\www Trusted Zone: tdameritrade.com\www Trusted Zone: toysrus.com\www Trusted Zone: usana.com\www Trusted Zone: weather.com\www Trusted Zone: youtube.com\www DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-13 06:19 Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor [1].zip\TDL3 Razor\TizerBruteForceEx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KillTheHooker] "ImagePath"="\??\c:\docume~1\vjmure\LOCALS~1\Temp\Temporary Directory 1 for TDL3%20Razor . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1748) c:\windows\system32\UmxWnp.Dll - - - - - - - > 'lsass.exe'(1952) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll . Completion time: 2010-05-13 06:25:06 ComboFix-quarantined-files.txt 2010-05-13 10:25 ComboFix2.txt 2010-05-08 13:39 Pre-Run: 44,847,493,120 bytes free Post-Run: 44,995,600,384 bytes free - - End Of File - - 75BDE1F420D64B80D3957D265DA23B36
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.