Jump to content

Please Help Finally able to get logs


zen21

Recommended Posts

Hello,

I was finally able to get logs without getting blue screened. I ran malwarebytes 2 times once in save mode and once when i rebooted in normal mode. I had to do it this way because I would get blue screened in both malwarebytes and spybot when running from win xp in normal mode. I will post both malwarebytes logs and the other below. I would greatly appreciate any help provided. Thanks in advance.

First Malwarebytes scan done in safe mode

Malwarebytes' Anti-Malware 1.31

Database version: 1537

Windows 5.1.2600 Service Pack 3

12/23/2008 1:56:04 PM

mbam-log-2008-12-23 (13-56-04).txt

Scan type: Quick Scan

Objects scanned: 53723

Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 10

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 51

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{1408e208-2ac1-42d3-9f10-78a5b36e05ac} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a744f16c-b2d5-4138-81a2-085cdfcde83a} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{a744f16c-b2d5-4138-81a2-085cdfcde83a} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\43f7cbdd (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\43f7cbdd (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\43f7cbdd (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc (Trojan.MyDoom) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\webproxy (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\CbEvtSvc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv681229976527.cpx (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\43f7cbdd.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\setupapi.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Program Files\Internet Explorer\setupapi.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RCTO5OV\install[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QR2PM1A7\ftp[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Application Data\638097440.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\msauc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv071229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv111229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv131229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv171229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv271229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv291229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv301229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv301229732492.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv331229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv341229999452.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv381229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv421229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv461229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv521229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv561229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv611229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv681229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv731229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv781229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv821229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv871229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv941229732464.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv951229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv961229732545.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv971229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\homepage.html (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\pharma.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\other.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\finance.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\adult.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lt.res (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\aol.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\gmail.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\google.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\live.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\search.yahoo.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\index.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Second Scan done after rebooting in normal mode

Malwarebytes' Anti-Malware 1.31

Database version: 1537

Windows 5.1.2600 Service Pack 3

12/23/2008 2:11:08 PM

mbam-log-2008-12-23 (14-11-08).txt

Scan type: Quick Scan

Objects scanned: 54338

Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\MyComputer\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

Active Scan Log

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-23 15:57:31

PROTECTIONS: 0

MALWARE: 13

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@atdmt[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@247realmedia[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@tribalfusion[2].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@com[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@bs.serving-sys[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@advertising[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@ads.pointroll[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@realmedia[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@questionmarket[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@go[1].txt

00444112 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{37F2E228-8618-4D5D-8031-13E4B18ABD0D}\RP108\A0041778.sys

04373460 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{37F2E228-8618-4D5D-8031-13E4B18ABD0D}\RP108\A0041777.sys

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No C:\Program Files\AIM\Backup\uninstall.exe

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:01:11 PM, on 12/23/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Razer\Copperhead\razerhid.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Razer\Copperhead\razertra.exe

C:\Program Files\Razer\Copperhead\razerofa.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\MyComputer\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: HTTP SSL HTTPFilterNetman (HTTPFilterNetman) - Unknown owner - C:\WINDOWS\system32\wpv301229732492.cpx.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 4287 bytes

Link to post
Share on other sites

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

COMBO FIX LOG

ComboFix 08-12-28.01 - MyComputer 2008-12-28 15:59:46.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1542 [GMT -5:00]

Running from: c:\documents and settings\MyComputer\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\0EB9F12C_6E6B_4c03_AEBA_8C04CFA98AA4.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\15913497_F86C_4218_8817_F50940D1E1B2.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\29887DDE_00B9_4011_9CF7_59511F1ECC1B.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\35B7DFFA_884F_4fbc_8E60_DA601BDC7BF7.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\362FD6E8_8CDA_4c2a_A8AA-BDA22B321711.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\3DF04940_9866_4241_A998_0CDDFAFD147A.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\426500D7_0FF3_426c_828D_065DBAEA0581.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\478BD4AE_2691_438d_BDCA_3485DC022700.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\5C6C645F_BAA8_4149_BFEB_2031230FF0FD.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\61EA7D69_19D4_421a_A899_0DF4D58CD119.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\777FDAFB_83CF_4960_AA71_4E5D7BCD8E57.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\8DA878D5_E80B_4721_B75A_17EFFAF1A700.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\98F6DF79_7171_452d_9C26_C0193E12DBDF.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\A2B240D6_0386_419e_91C5_3F7D90437CD0.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\C75CEF8D_5AF4_4563_8594_C45A45E14E63.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\E21285C1_40E6_435c_A69F_3387E7BD89CB.gif

c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\E9A4D648_ED73_4ea7_88B2_18332DBA4F3E.38

c:\windows\system32\au3305adc.dll

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CBEVTSVC

-------\Legacy_TDSSSERV.SYS

-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))

.

2008-12-23 14:51 . 2008-12-23 14:51 <DIR> d-------- c:\program files\Panda Security

2008-12-23 14:51 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-23 14:11 . 2008-12-23 14:11 61,440 --a------ c:\windows\system32\drivers\sdnmctyw.sys

2008-12-23 14:02 . 2008-12-23 14:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-23 13:49 . 2008-12-23 13:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2008-12-23 13:06 . 2008-12-23 14:00 <DIR> d-------- c:\documents and settings\MyComputer\Application Data\SUPERAntiSpyware.com

2008-12-23 13:06 . 2008-12-23 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-23 12:53 . 2008-12-23 12:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-23 12:53 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-23 12:53 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-22 20:49 . 2008-12-22 20:49 <DIR> d-------- c:\documents and settings\MyComputer\Application Data\Malwarebytes

2008-12-22 20:49 . 2008-12-22 20:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-22 20:31 . 2008-12-22 20:31 <DIR> d-------- c:\documents and settings\Administrator

2008-12-19 11:34 . 2008-12-19 11:34 32 --a-s---- c:\windows\system32\283363896.dat

2008-12-19 11:26 . 2008-12-19 11:26 <DIR> d-------- c:\program files\iTunes

2008-12-19 11:26 . 2008-12-19 11:26 <DIR> d-------- c:\program files\iPod

2008-12-19 11:26 . 2008-12-19 11:26 <DIR> d-------- c:\program files\Bonjour

2008-12-19 11:26 . 2008-12-19 11:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-19 11:26 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll

2008-12-19 11:26 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys

2008-12-04 19:31 . 2008-12-04 19:31 <DIR> d-------- c:\program files\MSECache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-28 14:22 --------- d-----w c:\documents and settings\MyComputer\Application Data\Azureus

2008-12-28 04:13 --------- d-----w c:\program files\Zoom Player

2008-12-28 02:03 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-12-23 19:15 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-23 19:11 676 ----a-w c:\program files\pmzluicz.txt

2008-12-19 16:16 --------- d-----w c:\program files\Common Files\Apple

2008-12-13 03:12 --------- d-----w c:\program files\BugsysClub Software

2008-12-06 18:42 --------- d-----w c:\program files\Azureus

2008-11-22 19:10 --------- d-----w c:\program files\Motorola Phone Tools

2008-11-22 19:08 --------- d-----w c:\program files\Avanquest update

2008-11-21 02:48 --------- d-----w c:\program files\QuickTime

2008-11-21 02:44 --------- d-----w c:\program files\Safari

2008-11-12 08:00 --------- d-----w c:\program files\MSXML 4.0

2008-11-12 01:03 --------- d-----w c:\program files\Starcraft

2008-11-08 00:22 --------- d-----w c:\documents and settings\MyComputer\Application Data\ATI

2008-11-08 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\ATI

2008-11-08 00:18 --------- d-----w c:\program files\ATI

2008-11-08 00:00 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-08 00:00 --------- d-----w c:\program files\ATI Technologies

2008-10-18 04:38 94,208 ----a-w c:\windows\ScUnin.exe

2007-11-08 03:52 22,328 ----a-w c:\documents and settings\MyComputer\Application Data\PnkBstrK.sys

2007-10-12 03:10 24,192 ----a-w c:\documents and settings\MyComputer\usbsermptxp.sys

2007-10-12 03:10 22,768 ----a-w c:\documents and settings\MyComputer\usbsermpt.sys

2008-08-22 00:40 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Copperhead"="c:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

-ra------ 2008-09-26 11:02 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

--a------ 2006-08-01 14:35 67112 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]

--a------ 2007-10-04 18:38 307200 c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-09-22 22:27 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPod Service"=3 (0x3)

"Schedule"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"WmdmPmSN"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"Bonjour Service"=2 (0x2)

"mnmsrvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF21.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

Contents of the 'Scheduled Tasks' folder

2008-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-12-14 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1197602648.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lsass driver - c:\windows\msauc.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.netflix.com/MemberHome

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\MyComputer\Application Data\Mozilla\Firefox\Profiles\qi4vmjhw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.surfinfo.com

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-28 16:04:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\win32x.sys 12544 bytes executable

c:\windows\system32\win32x.exe 26112 bytes executable

c:\windows\system32\userinit.exe 74240 bytes executable

scan completed successfully

hidden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\win32x]

"ImagePath"="\??\c:\windows\system32\drivers\win32x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilterNetman]

"ImagePath"="c:\windows\system32\wpv301229732492.cpx srv"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Razer\Copperhead\razertra.exe

c:\program files\Razer\Copperhead\razerofa.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\windows\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2008-12-28 16:10:12 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-28 21:09:34

Pre-Run: 42,992,156,672 bytes free

Post-Run: 43,528,630,272 bytes free

202 --- E O F --- 2008-12-18 21:49:05

===========================

Hijackthis LOG

===========================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:34:31 PM, on 12/28/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Razer\Copperhead\razerhid.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Razer\Copperhead\razertra.exe

C:\Program Files\Razer\Copperhead\razerofa.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Documents and Settings\MyComputer\Desktop\HiJackThis.exe

C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: HTTP SSL HTTPFilterNetman (HTTPFilterNetman) - Unknown owner - C:\WINDOWS\system32\wpv301229732492.cpx.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 4278 bytes

On a side note should I have recovery console installed???

Thanks

Link to post
Share on other sites

Open open notepad and copy and paste in the following:

MD "%USERPROFILE%"\desktop\malware
xcopy c:\windows\system32\drivers\win32x.sys "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\windows\system32\win32x.exe "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy c:\windows\system32\drivers\sdnmctyw.sys "%USERPROFILE%"\desktop\malware /c /q /r /h /y
Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

Save it as getmalware.bat to the desktop and double-click on it to run it. It will create a folder called malware on your desktop. Please zip up this folder and attach that zipped file here in a new topic with a link to this thread. I will get back to you once they have been analyzed.

Link to post
Share on other sites

New Log

Malwarebytes' Anti-Malware 1.31

Database version: 1582

Windows 5.1.2600 Service Pack 3

12/31/2008 7:18:48 AM

mbam-log-2008-12-31 (07-18-48).txt

Scan type: Quick Scan

Objects scanned: 51598

Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\MyComputer\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Open Notepad & copy and paste in the following:

sc stop "HTTPFilterNetman"sc delete "HTTPFilterNetman"
copy "c:\windows\system32\dllcache\userinit.exe" "c:\windows\system32\userinit.exe"

Save it as fix.bat to the desktop. Double-click on it and it will quickly run; after it's done you can delete it.

Then update Malwarebytes and scan and post a new log. :)

Link to post
Share on other sites

Heres the new log. That same stuff is still showing.

Malwarebytes' Anti-Malware 1.31

Database version: 1587

Windows 5.1.2600 Service Pack 3

12/31/2008 7:52:48 PM

mbam-log-2008-12-31 (19-52-42).txt

Scan type: Quick Scan

Objects scanned: 51631

Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\MyComputer\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Heres the latest logs. Still showing the same. I updated and removed.

Malwarebytes' Anti-Malware 1.31

Database version: 1589

Windows 5.1.2600 Service Pack 3

1/1/2009 5:31:09 PM

mbam-log-2009-01-01 (17-31-09).txt

Scan type: Quick Scan

Objects scanned: 51776

Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\MyComputer\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Download Lop S&D < here

Double-click Lop S&D.exe

Choose the language, then choose Option 1 (Search)

Wait till the end of the scan

Post the log which is created: (%SystemDrive%\lopR.txt)

-----------

download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the Scan All Users checkbox on the toolbar.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).

Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Link to post
Share on other sites

Here is Lop S&D. Ill post the other one in a few.

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.20GHz )

BIOS : Phoenix ROM BIOS PLUS Version 1.10 A08

USER : MyComputer ( Administrator )

BOOT : Normal boot

C:\ (Local Disk) - NTFS - Total:70 Go (Free:40 Go)

D:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)

E:\ (Local Disk) - NTFS - Total:232 Go (Free:181 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( Fri 01/02/2009|15:03 )

--------------------\\ Listing folders in APPLIC~1

[12/23/2008|01:49] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Malwarebytes

[09/22/2007|01:54] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[12/19/2008|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}

[12/23/2008|12:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe

[09/22/2007|04:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL

[09/22/2007|04:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads

[09/22/2007|06:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple

[09/22/2007|06:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer

[11/07/2008|07:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ATI

[09/22/2007|05:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software

[12/22/2008|08:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes

[09/22/2007|01:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft

[12/23/2008|02:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[12/23/2008|01:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SUPERAntiSpyware.com

[09/22/2007|02:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[11/07/2007|09:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WinZip

[09/22/2007|01:54] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[09/23/2007|12:53] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[12/23/2008|12:51] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Adobe

[09/22/2007|04:12] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Aim

[10/25/2007|08:29] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Apple Computer

[11/07/2008|07:22] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> ATI

[01/02/2009|07:11] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Azureus

[09/22/2007|08:52] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> DivX

[03/31/2008|05:23] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> dvdcss

[12/05/2007|03:56] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Google

[10/26/2007|08:17] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Hewlett-Packard

[09/22/2007|01:58] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Identities

[09/23/2007|10:53] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> ImgBurn

[09/22/2007|03:13] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> InstallShield

[09/22/2007|03:11] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Macromedia

[12/22/2008|08:49] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Malwarebytes

[11/18/2007|06:45] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Media Player Classic

[02/09/2008|05:41] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Microsoft

[09/22/2007|04:08] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Mozilla

[09/22/2007|10:27] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Real

[09/23/2007|03:16] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Sun

[12/23/2008|02:00] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> SUPERAntiSpyware.com

[09/22/2007|08:55] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> vlc

[11/11/2007|09:10] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> WinRAR

[09/22/2007|01:54] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[08/10/2008 05:18 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[12/13/2007 10:24 PM][--a------] C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1197602648.job

[09/23/2007 07:50 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT

[08/12/2004 09:01 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[11/26/2007|05:15] C:\Program Files\<DIR> Activision

[12/07/2008|06:16] C:\Program Files\<DIR> Adobe

[09/22/2007|04:21] C:\Program Files\<DIR> AIM

[04/15/2008|06:48] C:\Program Files\<DIR> Apollo DVD Copy

[08/10/2008|05:18] C:\Program Files\<DIR> Apple Software Update

[08/02/2008|02:18] C:\Program Files\<DIR> Aspyr

[11/07/2008|07:18] C:\Program Files\<DIR> ATI

[11/07/2008|07:00] C:\Program Files\<DIR> ATI Technologies

[11/22/2008|02:08] C:\Program Files\<DIR> Avanquest update

[03/30/2008|08:02] C:\Program Files\<DIR> AVI MPEG RM WMV Joiner

[12/06/2008|01:42] C:\Program Files\<DIR> Azureus

[08/08/2008|06:18] C:\Program Files\<DIR> BitPim

[12/19/2008|11:26] C:\Program Files\<DIR> Bonjour

[09/22/2007|02:10] C:\Program Files\<DIR> Broadcom

[12/12/2008|10:12] C:\Program Files\<DIR> BugsysClub Software

[12/28/2008|04:01] C:\Program Files\<DIR> Common Files

[09/22/2007|08:17] C:\Program Files\<DIR> Creative

[09/23/2007|10:44] C:\Program Files\<DIR> DivX

[09/23/2007|05:22] C:\Program Files\<DIR> EA GAMES

[12/05/2007|03:56] C:\Program Files\<DIR> Google

[10/26/2007|08:10] C:\Program Files\<DIR> Hewlett-Packard

[09/23/2007|10:53] C:\Program Files\<DIR> ImgBurn

[11/07/2008|07:00] C:\Program Files\<DIR> InstallShield Installation Information

[12/22/2008|08:12] C:\Program Files\<DIR> Internet Explorer

[12/19/2008|11:26] C:\Program Files\<DIR> iPod

[12/19/2008|11:26] C:\Program Files\<DIR> iTunes

[09/22/2007|05:26] C:\Program Files\<DIR> Java

[09/22/2007|11:03] C:\Program Files\<DIR> K-Lite Codec Pack

[12/23/2008|12:53] C:\Program Files\<DIR> Malwarebytes' Anti-Malware

[08/23/2008|02:00] C:\Program Files\<DIR> Messenger

[09/27/2007|08:36] C:\Program Files\<DIR> Microsoft ActiveSync

[09/22/2007|01:55] C:\Program Files\<DIR> microsoft frontpage

[12/04/2008|07:31] C:\Program Files\<DIR> Microsoft Office

[12/16/2007|07:31] C:\Program Files\<DIR> Motorola

[11/22/2008|02:10] C:\Program Files\<DIR> Motorola Phone Tools

[08/21/2008|07:33] C:\Program Files\<DIR> Movie Maker

[01/02/2009|02:59] C:\Program Files\<DIR> Mozilla Firefox

[12/04/2008|07:31] C:\Program Files\<DIR> MSECache

[08/21/2008|07:33] C:\Program Files\<DIR> msn

[09/22/2007|01:52] C:\Program Files\<DIR> MSN Gaming Zone

[11/12/2008|03:00] C:\Program Files\<DIR> MSXML 4.0

[09/23/2007|10:50] C:\Program Files\<DIR> NCH Swift Sound

[12/13/2007|09:11] C:\Program Files\<DIR> Netflix

[08/21/2008|07:32] C:\Program Files\<DIR> NetMeeting

[09/22/2007|04:23] C:\Program Files\<DIR> No1 DVD Ripper

[08/21/2008|07:32] C:\Program Files\<DIR> Outlook Express

[12/23/2008|02:51] C:\Program Files\<DIR> Panda Security

[11/20/2008|09:48] C:\Program Files\<DIR> QuickTime

[09/22/2007|03:13] C:\Program Files\<DIR> Razer

[09/23/2007|01:57] C:\Program Files\<DIR> Real

[09/23/2007|01:58] C:\Program Files\<DIR> RealMedia

[11/20/2008|09:44] C:\Program Files\<DIR> Safari

[12/23/2008|02:14] C:\Program Files\<DIR> Spybot - Search & Destroy

[11/11/2008|08:03] C:\Program Files\<DIR> Starcraft

[09/22/2007|01:58] C:\Program Files\<DIR> Uninstall Information

[09/22/2007|06:54] C:\Program Files\<DIR> VideoLAN

[09/23/2007|04:42] C:\Program Files\<DIR> Windows Media Connect 2

[08/21/2008|07:32] C:\Program Files\<DIR> Windows Media Player

[08/21/2008|07:32] C:\Program Files\<DIR> Windows NT

[09/22/2007|01:54] C:\Program Files\<DIR> WindowsUpdate

[11/17/2007|08:46] C:\Program Files\<DIR> WinRAR

[11/07/2007|09:57] C:\Program Files\<DIR> WinZip

[09/22/2007|01:55] C:\Program Files\<DIR> xerox

[09/22/2007|09:52] C:\Program Files\<DIR> Zero G Registry

[12/27/2008|11:13] C:\Program Files\<DIR> Zoom Player

--------------------\\ Listing Folders in C:\Program Files\Common Files

[02/29/2008|07:20] C:\Program Files\Common Files\<DIR> Adobe

[12/19/2008|11:16] C:\Program Files\Common Files\<DIR> Apple

[10/18/2008|06:14] C:\Program Files\Common Files\<DIR> Blizzard Entertainment

[09/22/2007|09:06] C:\Program Files\Common Files\<DIR> Designer

[10/26/2007|08:10] C:\Program Files\Common Files\<DIR> Hewlett-Packard

[09/22/2007|02:59] C:\Program Files\Common Files\<DIR> InstallShield

[09/22/2007|05:26] C:\Program Files\Common Files\<DIR> Java

[12/04/2008|07:31] C:\Program Files\Common Files\<DIR> Microsoft Shared

[09/22/2007|05:38] C:\Program Files\Common Files\<DIR> Motorola Shared

[09/22/2007|01:53] C:\Program Files\Common Files\<DIR> MSSoap

[09/22/2007|09:46] C:\Program Files\Common Files\<DIR> ODBC

[09/22/2007|10:27] C:\Program Files\Common Files\<DIR> Real

[09/22/2007|01:53] C:\Program Files\Common Files\<DIR> Services

[09/22/2007|09:45] C:\Program Files\Common Files\<DIR> SpeechEngines

[08/21/2008|07:32] C:\Program Files\Common Files\<DIR> System

[09/22/2007|10:27] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 30 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\MYCOMP~1\Cookies\mycomputer@advertising[2].txt

C:\DOCUME~1\MYCOMP~1\Cookies\mycomputer@adopt.euroclick[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-02 15:04:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden files ...

C:\WINDOWS\System32\win32x.exe 26112 bytes executable

C:\WINDOWS\System32\drivers\win32x.sys 12544 bytes executable

C:\WINDOWS\System32\userinit.exe 74240 bytes executable

scan completed successfully

hidden processes: 0

hidden files: 3

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\MYCOMP~1\Recent\[isoHunt] WinRar 3.71 final keygen (Works 100% ).torrent.lnk

[F:43][D:4]-> C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp

[F:151][D:0]-> C:\DOCUME~1\MYCOMP~1\Cookies

[F:501][D:4]-> C:\DOCUME~1\MYCOMP~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Fri 01/02/2009|15:05 - Option : [1]

--------------------\\ Scan completed at 15:05:17

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.