Jump to content

scogzy

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

 Content Type 

Posts posted by scogzy

    Can't run .exe files

    in Resolved Malware Removal Logs

    Posted

    After further investigation of some of the older MB logs I found that Wednesday's log reported finding the Trojan.FakeAlert. AVG showed the Generic23.CKZH Trojan.

    Here is the Malwarebytes Log:

    Malwarebytes' Anti-Malware 1.51.1.1800

    www.malwarebytes.org

    Database version: 7378

    Windows 5.1.2600 Service Pack 3 (Safe Mode)

    Internet Explorer 8.0.6001.18702

    8/4/2011 4:01:24 PM

    mbam-log-2011-08-04 (16-01-24).txt

    Scan type: Full scan (C:\|D:\|)

    Objects scanned: 342129

    Time elapsed: 39 minute(s), 44 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 1

    Folders Infected: 0

    Files Infected: 2

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Sheila\Local Settings\Application Data\ibi.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    c:\documents and settings\Sheila\local settings\Temp\jar_cache31399.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    c:\documents and settings\Sheila\local settings\Temp\jar_cache31400.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Here is the AVG log:

    Can't run .exe files

    in Resolved Malware Removal Logs

    Posted

    Hi,

    Looks like I got a Trojan. I followed the instruction from the "I'm infected" thread. I hope this is everything needed to get a bit of help with this nasty infection. Two notables worth mentioning, The only way to get Malwarebytes or any of the tools to run was in safemode, and I could not stop AVG before running Combofix, but I still ran it.

    Thanx,

    Dan

    --

    Here are my 5 log files:

    Malwarebytes' Anti-Malware 1.51.1.1800

    www.malwarebytes.org

    Database version: 7378

    Windows 5.1.2600 Service Pack 3 (Safe Mode)

    Internet Explorer 8.0.6001.18702

    8/4/2011 5:33:12 PM

    mbam-log-2011-08-04 (17-33-12).txt

    Scan type: Full scan (C:\|D:\|)

    Objects scanned: 342230

    Time elapsed: 36 minute(s), 30 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    End of File=====================================================================

    Logfile of Trend Micro HijackThis v2.0.4

    Scan saved at 11:55:43 PM, on 8/4/2011

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v8.00 (8.00.6001.18702)

    Boot mode: Safe mode with network support

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\explorer.exe

    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll

    O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

    O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

    O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealOne Player\update\realsched.exe" -osboot

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll

    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe

    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe

    O23 - Service: Google Update Service (gupdate1ca35652e6c81b4) (gupdate1ca35652e6c81b4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

    O23 - Service: iolo System Service (ioloSystemService) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

    --

    End of file - 6740 bytes

    GMER 1.0.15.15641 - http://www.gmer.net

    Rootkit scan 2011-08-04 22:38:12

    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1200AB-22DYA0 rev.15.05R15

    Running: 52n3qtnl.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwldapod.sys

    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    .

    DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK

    Internet Explorer: 8.0.6001.18702

    Run by Administrator at 17:54:57 on 2011-08-04

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.800 [GMT -4:00]

    .

    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    .

    ============== Running Processes ===============

    .

    C:\WINDOWS\system32\svchost -k DcomLaunch

    svchost.exe

    C:\WINDOWS\System32\svchost.exe -k netsvcs

    svchost.exe

    svchost.exe

    C:\Program Files\Softex\OmniPass\OPXPApp.exe

    C:\WINDOWS\Explorer.EXE

    .

    ============== Pseudo HJT Report ===============

    .

    mSearch Bar = hxxp://srch-us8.hpwis.com/

    uInternet Settings,ProxyOverride = 127.0.0.1

    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

    BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

    BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

    EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File

    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

    uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

    mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

    mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe

    mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

    mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

    mRun: [nwiz] nwiz.exe /install

    mRun: [PS2] c:\windows\system32\ps2.exe

    mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe

    mRun: [iomega Automatic Backup 1.0.1] c:\program files\iomega\iomega automatic backup\ibackup.exe

    mRun: [AlcxMonitor] ALCXMNTR.EXE

    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

    mRun: [TkBellExe] "c:\program files\real\realone player\update\realsched.exe" -osboot

    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

    DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab

    TCP: DhcpNameServer = 192.168.0.2

    TCP: Interfaces\{D3A820ED-D558-4786-8DBE-7E3912C84D2E} : DhcpNameServer = 192.168.0.2

    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

    Notify: igfxcui - igfxsrvc.dll

    Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll

    SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

    Hosts: 127.0.0.1 www.spywareinfo.com

    .

    ============= SERVICES / DRIVERS ===============

    .

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]

    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]

    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]

    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]

    S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]

    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

    S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

    S2 gupdate1ca35652e6c81b4;Google Update Service (gupdate1ca35652e6c81b4);c:\program files\google\update\GoogleUpdate.exe [2009-9-14 133104]

    S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-11-18 724152]

    S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-11-18 724152]

    S2 mrtRate;mrtRate; [x]

    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]

    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]

    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]

    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]

    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-14 133104]

    S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-17 1251720]

    .

    =============== File Associations ===============

    .

    JSEFile=NOTEPAD.EXE %1

    VBEFile=NOTEPAD.EXE %1

    VBSFile=NOTEPAD.EXE %1

    .

    =============== Created Last 30 ================

    .

    2011-08-04 20:51:04 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe

    2011-08-04 20:05:01 6144 ----a-w- c:\windows\~DFA26A.tmp

    2011-08-04 19:15:16 6144 ----a-w- c:\windows\~DF2CD9.tmp

    2011-08-04 19:14:30 6144 ----a-w- c:\windows\~DF8962.tmp

    2011-08-04 18:56:08 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

    2011-08-04 18:56:00 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2011-08-04 18:55:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

    2011-08-04 18:55:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2011-08-04 18:34:59 6144 ----a-w- c:\windows\~DF314.tmp

    2011-08-04 18:19:07 -------- d-----w- c:\windows\Favorites

    2011-08-04 18:19:07 -------- d-----w- c:\windows\Desktop

    2011-08-04 17:45:24 -------- d-----w- C:\My Documents

    2011-08-04 17:44:53 -------- d-----w- c:\windows\Application Data

    2011-08-04 17:42:48 6144 ----a-w- c:\windows\~DF49CD.tmp

    2011-08-03 14:36:01 6144 ----a-w- c:\windows\~DFFB58.tmp

    2011-08-03 02:29:30 -------- d-----w- C:\iolo

    2011-08-03 02:00:31 6144 ----a-w- c:\windows\~DF5C12.tmp

    .

    ==================== Find3M ====================

    .

    2011-06-02 14:02:05 1858944 ------w- c:\windows\system32\win32k.sys

    .

    ============= FINISH: 17:55:28.32 ===============

    ComboFix 11-08-04.01 - Administrator 08/04/2011 23:42:28.1.2 - x86 NETWORK

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.703 [GMT -4:00]

    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    c:\documents and settings\Administrator\WINDOWS

    c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk

    c:\documents and settings\Children\WINDOWS

    c:\documents and settings\Default User\WINDOWS

    c:\documents and settings\Eugene Delgaudio #2\WINDOWS

    c:\documents and settings\Sheila\g2mdlhlpx.exe

    c:\documents and settings\Sheila\My Documents\~WRL0380.tmp

    c:\documents and settings\Sheila\My Documents\~WRL1275.tmp

    c:\documents and settings\Sheila\My Documents\~WRL2449.tmp

    c:\documents and settings\Sheila\Templates\wjivoi204s35u41be1v6y10px31lt82c0isxgsv17

    c:\documents and settings\Sheila\WINDOWS

    c:\program files\messenger\msmsgsin.exe

    c:\program files\Shared

    c:\windows\desktop

    c:\windows\system32\config\systemprofile\WINDOWS

    c:\windows\system32\ps2.bat

    D:\Autorun.inf

    .

    .

    ((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))

    .

    .

    2011-08-05 03:31 . 2011-08-05 03:31 114688 ----a-w- c:\windows\~DF1AF2.tmp

    2011-08-05 03:07 . 2011-08-05 03:07 -------- d-----w- C:\Malwarebytes

    2011-08-04 20:05 . 2011-08-04 20:05 6144 ----a-w- c:\windows\~DFA26A.tmp

    2011-08-04 19:15 . 2011-08-04 19:15 6144 ----a-w- c:\windows\~DF2CD9.tmp

    2011-08-04 19:14 . 2011-08-04 19:14 6144 ----a-w- c:\windows\~DF8962.tmp

    2011-08-04 18:56 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2011-08-04 18:55 . 2011-08-04 19:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2011-08-04 18:55 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

    2011-08-04 18:54 . 2011-08-05 03:50 -------- d-----w- c:\documents and settings\Administrator

    2011-08-04 18:34 . 2011-08-04 18:35 6144 ----a-w- c:\windows\~DF314.tmp

    2011-08-04 18:19 . 2011-08-04 18:19 -------- d-----w- c:\windows\Favorites

    2011-08-04 17:59 . 2011-08-04 17:59 -------- d-----w- c:\documents and settings\Sheila\is-7GDSB.tmp

    2011-08-04 17:45 . 2011-08-04 17:45 -------- d-----w- C:\My Documents

    2011-08-04 17:44 . 2011-08-04 17:44 -------- d-----w- c:\windows\Application Data

    2011-08-04 17:42 . 2011-08-04 18:02 6144 ----a-w- c:\windows\~DF49CD.tmp

    2011-08-03 14:36 . 2011-08-03 14:36 6144 ----a-w- c:\windows\~DFFB58.tmp

    2011-08-03 02:29 . 2011-08-03 02:29 -------- d-----w- C:\iolo

    2011-08-03 02:00 . 2011-08-03 02:00 6144 ----a-w- c:\windows\~DF5C12.tmp

    .

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2011-06-02 14:02 . 2003-06-05 00:12 1858944 ------w- c:\windows\system32\win32k.sys

    .

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

    2011-05-30 15:33 2495816 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-30 2495816]

    .

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    .

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "NVIEW"="nview.dll" [2003-05-02 835654]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]

    "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 69632]

    "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-18 69632]

    "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

    "nwiz"="nwiz.exe" [2003-05-02 323584]

    "PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

    "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

    "Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]

    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

    "AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]

    "TkBellExe"="c:\program files\Real\RealOne Player\update\realsched.exe" [2011-01-03 274608]

    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]

    .

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2003-03-31 86016]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

    2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

    .

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

    @="Driver"

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    "AntiVirusOverride"=dword:00000001

    "FirewallOverride"=dword:00000001

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

    "DisableMonitoring"=dword:00000001

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

    "DisableMonitoring"=dword:00000001

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

    "DisableMonitoring"=dword:00000001

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

    "DisableNotifications"= 1 (0x1)

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\WINDOWS\\system32\\sessmgr.exe"=

    "c:\\Program Files\\Messenger\\msmsgs.exe"=

    "c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=

    "c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

    "c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

    "c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

    "AllowInboundEchoRequest"= 1 (0x1)

    .

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 5:27 PM 22992]

    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]

    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 4:49 AM 297168]

    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 4:48 AM 248656]

    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]

    S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]

    S2 gupdate1ca35652e6c81b4;Google Update Service (gupdate1ca35652e6c81b4);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2009 1:59 PM 133104]

    S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [11/18/2010 12:08 AM 724152]

    S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [11/18/2010 12:08 AM 724152]

    S2 mrtRate;mrtRate; [x]

    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 5:18 PM 1025352]

    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 10:42 PM 134480]

    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 10:42 PM 24144]

    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 10:42 PM 27216]

    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/14/2009 1:59 PM 133104]

    .

    Contents of the 'Scheduled Tasks' folder

    .

    2011-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job

    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21]

    .

    2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 17:59]

    .

    2011-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 17:59]

    .

    2011-08-04 c:\windows\Tasks\Malwarebytes' Anti-Malware scan.job

    - c:\progra~1\MALWAR~1\mbam.exe [2011-08-04 23:52]

    .

    2011-08-04 c:\windows\Tasks\Malwarebytes' Anti-Malware.job

    - c:\progra~1\MALWAR~1\mbam.exe [2011-08-04 23:52]

    .

    2011-08-04 c:\windows\Tasks\mbam-setup.job

    - K:\mbam-setup.exe [2011-08-04 00:05]

    .

    2011-08-05 c:\windows\Tasks\User_Feed_Synchronization-{648CB0C4-031B-4062-8003-AF30C587015B}.job

    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

    .

    .

    ------- Supplementary Scan -------

    .

    mSearch Bar = hxxp://srch-us8.hpwis.com/

    uInternet Settings,ProxyOverride = 127.0.0.1

    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll

    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

    .

    .

    ------- File Associations -------

    .

    JSEFile=NOTEPAD.EXE %1

    .

    - - - - ORPHANS REMOVED - - - -

    .

    AddRemove-WinFax - c:\program files\WinFax\WFXUNIST.ISU

    .

    .

    .

    **************************************************************************

    .

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2011-08-04 23:52

    Windows 5.1.2600 Service Pack 3 NTFS

    .

    scanning hidden processes ...

    .

    scanning hidden autostart entries ...

    .

    scanning hidden files ...

    .

    scan completed successfully

    hidden files: 0

    .

    **************************************************************************

    .

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

    "ImagePath"="\"\""

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    .

    - - - - - - - > 'winlogon.exe'(352)

    c:\program files\Softex\OmniPass\opxpgina.dll

    .

    Completion time: 2011-08-04 23:54:37

    ComboFix-quarantined-files.txt 2011-08-05 03:54

    .

    Pre-Run: 62,187,483,136 bytes free

    Post-Run: 62,241,116,160 bytes free

    .

    - - End Of File - - 5894E4C071B4DEF33AB6BDFC831EF144

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.