Malware doctor

View previous topic View next topic Go down

Malware doctor

Post by Pokerking98 on Wed Jun 10, 2009 1:22 am

Hey, all. Uh, well I have the kind of malware doctor that this person has. [You must be registered and logged in to see this link.] . I have malware bytes anti-malware and it did not work. I tried full and quick scan. Well I hope you guys can help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:26 PM, on 6/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\HiYo\bin\HiYo.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Documents and Settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NVT Malware Remover Tool\NVT Malware Remover Tool.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Chrome copyright - {AFF01325-0FC2-4749-8914-FBF0565AD9CC} - jbnmck.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: LiveInfoPro - {3E9D340B-D614-4854-AE06-4218201F6AAE} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [HiYo] C:\Program Files\HiYo\bin\HiYo.exe /RunFromStartup
O4 - HKLM\..\Run: [zzz_ImInstaller_HiYo] "C:\Documents and Settings\David's\Local Settings\Temp\ImInstaller\HiYo\HiYo_Install.exe" -startup -product HiYo -skip_dialog info -skip_dialog language -report -cluster 4
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\ma3ltaj8xv .exe
O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ma3ltaj8xv .exe
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\827269390.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-1074470393-2632276350-390648040-7770\service.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WeGame.lnk = C:\Program Files\WeGame\wegame.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Fill Forms - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: avast!AVSControlService - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 14468 bytes

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Origin on Wed Jun 10, 2009 1:45 am


  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Chrome copyright - {AFF01325-0FC2-4749-8914-FBF0565AD9CC} - jbnmck.dll (file missing)
    O4 - HKLM\..\Run: [HiYo] C:\Program Files\HiYo\bin\HiYo.exe /RunFromStartup
    O4 - HKLM\..\Run: [zzz_ImInstaller_HiYo] "C:\Documents and Settings\David's\Local Settings\Temp\ImInstaller\HiYo\HiYo_Install.exe" -startup -product HiYo -skip_dialog info -skip_dialog language -report -cluster 4
    O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
    O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
    O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\ma3ltaj8xv .exe
    O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ma3ltaj8xv .exe
    O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
    O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
    O4 - HKUS\.DEFAULT\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-1074470393-2632276350-390648040-7770\service.exe (User 'Default user')
    O4 - Global Startup: WeGame.lnk = C:\Program Files\WeGame\wegame.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



  • Press "Fix Checked"
  • Close Hijack This.






1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Wed Jun 10, 2009 2:27 am

The Malware is still here.
Code:
ComboFix 09-06-09.06 - David's 06/09/2009 22:05.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.466 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David's\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\LocalService\Application Data\1301700638.exe
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\755020800.exe
C:\install.exe
c:\program files\Internet Explorer\setupapi.dll
c:\program files\Mozilla Firefox\setupapi.dll
c:\windows\admintxt.txt
c:\windows\system\oeminfo.ini
c:\windows\system32\ak1.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\bszip.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\175de1d7.sys
c:\windows\system32\drivers\286cf3af.sys
c:\windows\system32\drivers\4f2007a5.sys
c:\windows\system32\drivers\qmvha.sys
c:\windows\system32\inqby.sr
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll
c:\windows\system32\loader49.exe
c:\windows\system32\obipewak.ini
c:\windows\system32\ofuyibuy.ini
c:\windows\system32\sft.res
c:\windows\system32\uniq.tll
C:\xcrashdump.dat

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Services  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


(((((((((((((((((((((((((  Files Created from 2009-05-10 to 2009-06-10  )))))))))))))))))))))))))))))))
.

2009-06-10 02:16 . 2009-06-10 02:17   99422   ----a-w-   c:\windows\system32\drivers\52106874.sys
2009-06-10 01:23 . 2009-06-10 02:17   99422   ----a-w-   c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33   --------   d-----w-   c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-10 02:17   99422   ----a-w-   c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22   --------   d-----w-   c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21   --------   d-----w-   c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21   --------   d-----w-   c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21   --------   d-----w-   c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46   --------   d-----w-   c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-09 22:15   --------   d-----w-   c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-10 02:17   --------   d-----w-   c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33   --------   d-----w-   c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33   --------   d-----r-   c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-10 01:52   --------   d-----w-   c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17   --------   d-----w-   c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14   --------   d-----w-   c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14   --------   d-----w-   c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40   1332528   ----a-w-   c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03   --------   d-----w-   c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55   --------   d-----w-   c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46   779720   ----a-w-   c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31   58800   ----a-w-   c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48   710064   ----a-w-   c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39   --------   d-----w-   c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56   --------   d-----w-   c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28   --------   d-s---w-   c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39   32   ----a-r-   c:\documents and settings\All Users\hash.dat

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 22:21 . 2006-04-07 21:59   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58   --------   d-----w-   c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43   --------   d-----w-   c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45   --------   d-----w-   c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07   --------   d-----w-   c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07   --------   d-----w-   c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20   599560   ----a-w-   c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08   --------   d-----w-   c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33   --------   d-----w-   c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17   118784   ----a-w-   c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17   80191   ----a-w-   c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56   --------   d-----w-   c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57   --------   d-----w-   c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03   --------   d-----w-   c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51   --------   d-----w-   c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46   --------   d-----w-   c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48   --------   d-----w-   c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59   38496   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59   15504   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31   34   ----a-w-   c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54   45056   ----a-r-   c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54   45056   ----a-r-   c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54   10134   ----a-r-   c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32   23400   ----a-w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24   966808   ----a-w-   c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28   308   ----a-w-   c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55   8   --sh--r-   c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54   80   --sh--r-   c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12   56   --sh--r-   c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34   86528   --sha-w-   c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55   4184   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12   51712   --sha-w-   c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47   51712   --sha-w-   c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47   86528   --sha-w-   c:\windows\system32\vuhodoji.dll
.

------- Sigcheck -------

[7] 2008-04-13 19:20   182656   1DF7F42665C94B825322FAE71721130D   c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2006-04-01 16:00   212224   D100A615E6F577B399061320A682A037   c:\windows\system32\dllcache\ndis.sys
[-] 2006-04-01 16:00   212224   D100A615E6F577B399061320A682A037   c:\windows\system32\drivers\ndis.sys
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll


Last edited by Pokerking98 on Wed Jun 10, 2009 2:29 am; edited 1 time in total

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Wed Jun 10, 2009 2:28 am

Code:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26   80384   ----a-w-   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\[u]0[/u]sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Wed Jun 10, 2009 2:29 am

Code:

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avast!AVSControlService;avast!AVSControlService;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - avast!antivirus
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-10 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll
HKCU-Run-Malware Doctor - c:\documents and settings\LocalService\Application Data\1361538659.exe
HKLM-Run-Malware Doctor - c:\documents and settings\LocalService\Application Data\1361538659.exe


.
------- Supplementary Scan -------
.
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\
FF - prefs.js: browser.search.selectedEngine - TheSearchButler
FF - prefs.js: browser.startup.homepage - hxxp://www.thesearchbutler.com/
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 22:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\windows\system32\jbnmck.dll 29184 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\52106874]
"ImagePath"="\SystemRoot\System32\drivers\52106874.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(5772)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1361538659.exe.virID
.
**************************************************************************
.
Completion time: 2009-06-10 22:23 - machine was rebooted
ComboFix-quarantined-files.txt  2009-06-10 02:23

Pre-Run: 28,072,583,168 bytes free
Post-Run: 30,407,159,808 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
383   --- E O F ---   2009-04-08 07:00

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Wed Jun 10, 2009 2:09 pm

Hello.

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
52106874
b30c2fcc
94ddfa21
avast!AVSControlService
npggsvc
Viewpoint Manager Service

File::
c:\windows\system32\drivers\52106874.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\drivers\94ddfa21.sys
c:\windows\system32\sgc315j0e19g.dll
c:\windows\system32\qgc715j0e19g .exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe

Folder::
c:\windows\system32\796525
c:\documents and settings\David's\Application Data\LimeWire
c:\program files\LimeWire

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\52106874]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]

Rootkit::
c:\windows\system32\jbnmck.dll

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Wed Jun 10, 2009 7:01 pm

Before I go ahead with the procedure you gave me above, would a system restore fix my computer?

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Wed Jun 10, 2009 9:38 pm

No, system restore points would likely be infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Wed Jun 10, 2009 9:50 pm

I am talking about a, restore to factory settings. They have it built in on all dell's.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Wed Jun 10, 2009 9:54 pm

Factory restore and system restore are two different things. Smile

A factory restore would work if you know how to do that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Wed Jun 10, 2009 10:02 pm

Ight, well I guess I will just do that then, I don't feel like dealing with malware and such. Is there anything that I should not save?

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Wed Jun 10, 2009 10:25 pm

Exe files mainly, who knows if they are infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Wed Jun 10, 2009 10:26 pm

Aight. well thanks a bundle guys!

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 1:05 am

Eh sorry for the bump and everything but uh, After restarting my computer for a second time I found no trace of the malware. I haven't restored it yet. Do you think its just running in the back round? All symptoms are gone, I have access over the task manager again. All seems to be well.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Origin on Fri Jun 12, 2009 1:07 am

The above ComboFix log should have removed most of the malware, can you post teh ComboFix log please.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 1:20 am

ComboFix 09-06-09.06 - David's 06/09/2009 22:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.466 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David's\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\LocalService\Application Data\1301700638.exe
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\755020800.exe
C:\install.exe
c:\program files\Internet Explorer\setupapi.dll
c:\program files\Mozilla Firefox\setupapi.dll
c:\windows\admintxt.txt
c:\windows\system\oeminfo.ini
c:\windows\system32\ak1.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\bszip.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\175de1d7.sys
c:\windows\system32\drivers\286cf3af.sys
c:\windows\system32\drivers\4f2007a5.sys
c:\windows\system32\drivers\qmvha.sys
c:\windows\system32\inqby.sr
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll
c:\windows\system32\loader49.exe
c:\windows\system32\obipewak.ini
c:\windows\system32\ofuyibuy.ini
c:\windows\system32\sft.res
c:\windows\system32\uniq.tll
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 02:16 . 2009-06-10 02:17 99422 ----a-w- c:\windows\system32\drivers\52106874.sys
2009-06-10 01:23 . 2009-06-10 02:17 99422 ----a-w- c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-10 02:17 99422 ----a-w- c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46 -------- d-----w- c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-09 22:15 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-10 02:17 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-10 01:52 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39 32 ----a-r- c:\documents and settings\All Users\hash.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07 -------- d-----w- c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33 -------- d-----w- c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17 118784 ----a-w- c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17 80191 ----a-w- c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57 -------- d-----w- c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03 -------- d-----w- c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51 -------- d-----w- c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46 -------- d-----w- c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24 966808 ----a-w- c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

------- Sigcheck -------

[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2006-04-01 16:00 212224 D100A615E6F577B399061320A682A037 c:\windows\system32\dllcache\ndis.sys
[-] 2006-04-01 16:00 212224 D100A615E6F577B399061320A682A037 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 1:21 am

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avast!AVSControlService;avast!AVSControlService;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - avast!antivirus
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-10 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll
HKCU-Run-Malware Doctor - c:\documents and settings\LocalService\Application Data\1361538659.exe
HKLM-Run-Malware Doctor - c:\documents and settings\LocalService\Application Data\1361538659.exe


.
------- Supplementary Scan -------
.
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\
FF - prefs.js: browser.search.selectedEngine - TheSearchButler
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-09 22:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\jbnmck.dll 29184 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\52106874]
"ImagePath"="\SystemRoot\System32\drivers\52106874.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 1:21 am

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(5772)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1361538659.exe.virID
.
**************************************************************************
.
Completion time: 2009-06-10 22:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-10 02:23

Pre-Run: 28,072,583,168 bytes free
Post-Run: 30,407,159,808 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
383 --- E O F --- 2009-04-08 07:00

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 2:07 am

Shit, its back again. It just popped up and disabled my task manager. again

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Origin on Fri Jun 12, 2009 2:24 am

Can you post a new HijackThis log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 2:28 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:45 PM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: LiveInfoPro - {3E9D340B-D614-4854-AE06-4218201F6AAE} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Fill Forms - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [You must be registered and logged in to see this link.] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: avast!AVSControlService - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: pevsystemstart - Unknown owner - cmd /k start /i "/dC:" "C:\Combo-Fix\HIDEC.exe" "C:\WINDOWS\system32\CF24473.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 13481 bytes

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Origin on Fri Jun 12, 2009 2:31 am


  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
    O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe



  • Press "Fix Checked"
  • Close Hijack This.





Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 2:44 am

Code:
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

6/11/2009 10:43:41 PM
mbam-log-2009-06-11 (22-43-41).txt

Scan type: Quick Scan
Objects scanned: 81340
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Origin on Fri Jun 12, 2009 2:46 am


1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Fri Jun 12, 2009 8:52 am

Oh wow, what a mess. Can you handle this Origin? these spam bots rootkits don't like to die easily.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 10:54 am

ComboFix 09-06-11.06 - David's 06/11/2009 23:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.357 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\1301700638.exe
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\755020800.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\drivers\52106874.sys
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it Smile
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_avast!antivirus
-------\Legacy_avast!AVSControlService
-------\Service_avast!AVSControlService


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 01:57 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\62a4ad86.sys
2009-06-10 01:23 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46 -------- d-----w- c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-12 00:57 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 02:47 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39 32 ----a-r- c:\documents and settings\All Users\hash.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 01:00 . 2009-06-12 02:02 58880 ----a-w- c:\windows\system32\48.tmp
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07 -------- d-----w- c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33 -------- d-----w- c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17 118784 ----a-w- c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17 80191 ----a-w- c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57 -------- d-----w- c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03 -------- d-----w- c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51 -------- d-----w- c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46 -------- d-----w- c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24 966808 ----a-w- c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmck.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 10:55 am

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
.
------- Supplementary Scan -------
.
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 23:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
"ImagePath"="\SystemRoot\System32\drivers\62a4ad86.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1136)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\CF8751.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-12 23:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 03:24
ComboFix2.txt 2009-06-10 02:23

Pre-Run: 30,128,640,000 bytes free
Post-Run: 30,124,294,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
350 --- E O F --- 2009-04-08 07:00

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Fri Jun 12, 2009 10:59 am

Hello.
I will step in here and finish it off, lets get these rootkits off the system.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
npggsvc
62a4ad86
b30c2fcc
94ddfa21

File::
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\drivers\94ddfa21.sys
c:\windows\system32\48.tmp
c:\windows\system32\sgc315j0e19g.dll
c:\windows\system32\qgc715j0e19g .exe

Rootkit::
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\drivers\94ddfa21.sys

Folder::
c:\program files\LimeWire
c:\windows\system32\796525

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 7:16 pm

ComboFix 09-06-12.01 - David's 06/12/2009 15:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.403 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\David's\Desktop\CFScript.txt
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\setupapi.dll
c:\program files\Mozilla Firefox\setupapi.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 01:57 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\62a4ad86.sys
2009-06-10 01:23 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46 -------- d-----w- c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-12 19:09 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-12 18:29 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39 32 ----a-r- c:\documents and settings\All Users\hash.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 01:00 . 2009-06-12 02:02 58880 ----a-w- c:\windows\system32\48.tmp
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07 -------- d-----w- c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33 -------- d-----w- c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17 118784 ----a-w- c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17 80191 ----a-w- c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57 -------- d-----w- c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03 -------- d-----w- c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51 -------- d-----w- c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46 -------- d-----w- c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24 966808 ----a-w- c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-12 19:08 . 2009-06-12 19:08 16384 c:\windows\temp\Perflib_Perfdata_304.dat
+ 2009-06-12 19:01 . 2009-06-12 19:01 389120 c:\windows\system32\CF1958.exe
.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 7:16 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmck.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]


c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 7:16 pm

------- Supplementary Scan -------
.
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-12 15:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
"ImagePath"="\SystemRoot\System32\drivers\62a4ad86.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2208)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\CF1958.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-12 15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 19:13
ComboFix2.txt 2009-06-12 03:24
ComboFix3.txt 2009-06-10 02:23

Pre-Run: 30,148,493,312 bytes free
Post-Run: 30,135,545,856 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
335 --- E O F --- 2009-04-08 07:00

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Fri Jun 12, 2009 7:38 pm

Hello.
That didn't work, did you copy and paste EVERYTHING inside Notpad

To me, it looks like you might have left it blank, or missed File:: maybe.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 7:52 pm

Yeah, I copied everything. I even double checked.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Fri Jun 12, 2009 7:58 pm

Hello.
This machine is badly infected. Try running the script again, but do it from safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Sat Jun 20, 2009 6:37 pm

ComboFix 09-06-19.01 - David's 06/20/2009 14:15.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.693 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\David's\Desktop\cfscript.txt
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\48.tmp"
"c:\windows\system32\drivers\62a4ad86.sys"
"c:\windows\system32\drivers\94ddfa21.sys"
"c:\windows\system32\drivers\b30c2fcc.sys"
"c:\windows\system32\qgc715j0e19g .exe"
"c:\windows\system32\sgc315j0e19g.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dtmb.exe
c:\program files\LimeWire
c:\windows\system32\796525
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\program files\Internet Explorer\setupapi.dll
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-httpclient.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\commons-pool.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\httpcore-nio.jar
c:\program files\LimeWire\lib\httpcore.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\id3v2.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\Mozilla Firefox\setupapi.dll
c:\windows\system32\48.tmp
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\94ddfa21.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\qgc715j0e19g .exe
c:\windows\system32\sgc315j0e19g.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-18 16:16 . 2009-01-28 18:47 157144 ----a-w- c:\windows\system32\PubPlugin.dll
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_82E9268439A85DF7929CB5.exe
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_6FEFF9B68218417F98F549.exe
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_3A83AC1B354F6AF3685B54.exe
2009-06-18 04:04 . 2009-06-18 04:04 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_BE590ABD701E2CB21C2EE8.exe
2009-06-18 04:04 . 2009-06-18 04:04 -------- d-----w- c:\program files\NETdecompiler
2009-06-17 01:07 . 2009-06-17 01:07 -------- d-----w- c:\program files\GlobalInfection
2009-06-16 01:52 . 2009-06-16 01:52 -------- d-----w- c:\program files\TeamViewer3
2009-06-16 01:52 . 2009-06-16 01:52 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-13 11:19 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-20 18:28 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-20 18:28 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 02:24 . 2009-02-15 04:05 -------- d-----w- c:\documents and settings\David's\Application Data\Download Manager
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-22 18:41 . 2009-06-20 18:07 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-22 18:41 . 2009-06-03 07:02 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-22 18:41 . 2009-06-20 18:07 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-09-22 18:41 . 2009-06-03 07:02 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-29 19:08 . 2009-06-20 18:07 999424 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-29 19:08 . 2009-06-03 07:02 999424 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-17 01:07 . 2009-06-17 01:07 188478 c:\windows\Installer\{DDE7BDEE-907E-4D47-AF3C-90198C08DA6A}\internet2.exe
+ 2009-06-14 20:25 . 2009-06-14 20:25 101948 c:\windows\.jagex_cache_32\loginapplet\cache--2062608270.dat

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Sat Jun 20, 2009 6:38 pm

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-20 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11)


.
------- Supplementary Scan -------
.
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-20 14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2116)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\anotify.exe
c:\windows\SoftwareDistribution\Download\15fdc8419110b73ae498d2bf87f8bd8a\update\update.exe
.
**************************************************************************
.
Completion time: 2009-06-20 14:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 18:34
ComboFix2.txt 2009-06-12 19:13
ComboFix3.txt 2009-06-12 03:24
ComboFix4.txt 2009-06-10 02:23

Pre-Run: 28,685,307,904 bytes free
Post-Run: 27,636,109,312 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
386 --- E O F --- 2009-04-08 07:00

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Sat Jun 20, 2009 7:51 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Sat Jun 20, 2009 7:53 pm

Well, its slower then when I started. But, nothing to serious. Thanks guys.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27677
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Origin on Sun Jun 21, 2009 2:49 pm

Please do a Full Scan in Malwarebytes and post the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum