Malware doctor

View previous topic View next topic Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 10:54 am

ComboFix 09-06-11.06 - David's 06/11/2009 23:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.357 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\1301700638.exe
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\755020800.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\drivers\52106874.sys
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it Smile
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_avast!antivirus
-------\Legacy_avast!AVSControlService
-------\Service_avast!AVSControlService


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 01:57 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\62a4ad86.sys
2009-06-10 01:23 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-12 03:20 99422 ----a-w- c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46 -------- d-----w- c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-12 00:57 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 02:47 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39 32 ----a-r- c:\documents and settings\All Users\hash.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 01:00 . 2009-06-12 02:02 58880 ----a-w- c:\windows\system32\48.tmp
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07 -------- d-----w- c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33 -------- d-----w- c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17 118784 ----a-w- c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17 80191 ----a-w- c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57 -------- d-----w- c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03 -------- d-----w- c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51 -------- d-----w- c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46 -------- d-----w- c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24 966808 ----a-w- c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmck.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 10:55 am

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
.
------- Supplementary Scan -------
.
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 23:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
"ImagePath"="\SystemRoot\System32\drivers\62a4ad86.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1136)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\CF8751.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-12 23:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 03:24
ComboFix2.txt 2009-06-10 02:23

Pre-Run: 30,128,640,000 bytes free
Post-Run: 30,124,294,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
350 --- E O F --- 2009-04-08 07:00

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Fri Jun 12, 2009 10:59 am

Hello.
I will step in here and finish it off, lets get these rootkits off the system.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
npggsvc
62a4ad86
b30c2fcc
94ddfa21

File::
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\drivers\94ddfa21.sys
c:\windows\system32\48.tmp
c:\windows\system32\sgc315j0e19g.dll
c:\windows\system32\qgc715j0e19g .exe

Rootkit::
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\drivers\94ddfa21.sys

Folder::
c:\program files\LimeWire
c:\windows\system32\796525

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 7:16 pm

ComboFix 09-06-12.01 - David's 06/12/2009 15:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.403 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\David's\Desktop\CFScript.txt
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\setupapi.dll
c:\program files\Mozilla Firefox\setupapi.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 01:57 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\62a4ad86.sys
2009-06-10 01:23 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\b30c2fcc.sys
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:25 . 2009-06-12 19:09 99422 ----a-w- c:\windows\system32\drivers\94ddfa21.sys
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\windows\system32\796525
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-09 02:46 . 2009-06-09 02:46 -------- d-----w- c:\program files\GlobalInfection
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-12 19:09 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-12 18:29 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 18:40 . 2009-06-04 18:40 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-21 01:39 . 2009-03-22 01:39 32 ----a-r- c:\documents and settings\All Users\hash.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 01:00 . 2009-06-12 02:02 58880 ----a-w- c:\windows\system32\48.tmp
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-25 15:35 . 2008-09-23 19:07 -------- d-----w- c:\program files\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 01:33 . 2009-04-20 01:33 -------- d-----w- c:\program files\Trend Micro
2009-04-20 01:17 . 2009-04-20 01:17 118784 ----a-w- c:\windows\system32\sgc315j0e19g.dll
2009-04-20 01:17 . 2009-04-20 01:17 80191 ----a-w- c:\windows\system32\qgc715j0e19g .exe
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\program files\iTunes
2009-04-20 00:57 . 2009-04-20 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-20 00:57 . 2009-04-20 00:57 -------- d-----w- c:\program files\iPod
2009-04-20 00:57 . 2009-03-17 23:03 -------- d-----w- c:\program files\Common Files\Apple
2009-04-20 00:51 . 2009-04-20 00:51 -------- d-----w- c:\documents and settings\David's\Application Data\AVS4YOU
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-20 00:50 . 2009-04-20 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:46 -------- d-----w- c:\program files\AVS4YOU
2009-04-20 00:49 . 2009-04-20 00:48 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 20:24 . 2009-03-17 20:24 966808 ----a-w- c:\documents and settings\David's\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-12 19:08 . 2009-06-12 19:08 16384 c:\windows\temp\Perflib_Perfdata_304.dat
+ 2009-06-12 19:01 . 2009-06-12 19:01 389120 c:\windows\system32\CF1958.exe
.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 7:16 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmck.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]


c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 7:16 pm

------- Supplementary Scan -------
.
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-12 15:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\62a4ad86]
"ImagePath"="\SystemRoot\System32\drivers\62a4ad86.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\94ddfa21]
"ImagePath"="\SystemRoot\System32\drivers\94ddfa21.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b30c2fcc]
"ImagePath"="\SystemRoot\System32\drivers\b30c2fcc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20808824-8A2A-228E-B397-F58859D646E4}\InProcServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mvju.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2208)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\windows\system32\CF1958.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-12 15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 19:13
ComboFix2.txt 2009-06-12 03:24
ComboFix3.txt 2009-06-10 02:23

Pre-Run: 30,148,493,312 bytes free
Post-Run: 30,135,545,856 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
335 --- E O F --- 2009-04-08 07:00

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Fri Jun 12, 2009 7:38 pm

Hello.
That didn't work, did you copy and paste EVERYTHING inside Notpad

To me, it looks like you might have left it blank, or missed File:: maybe.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Fri Jun 12, 2009 7:52 pm

Yeah, I copied everything. I even double checked.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Fri Jun 12, 2009 7:58 pm

Hello.
This machine is badly infected. Try running the script again, but do it from safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Sat Jun 20, 2009 6:37 pm

ComboFix 09-06-19.01 - David's 06/20/2009 14:15.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.693 [GMT -4:00]
Running from: c:\documents and settings\David's\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\David's\Desktop\cfscript.txt
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\48.tmp"
"c:\windows\system32\drivers\62a4ad86.sys"
"c:\windows\system32\drivers\94ddfa21.sys"
"c:\windows\system32\drivers\b30c2fcc.sys"
"c:\windows\system32\qgc715j0e19g .exe"
"c:\windows\system32\sgc315j0e19g.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dtmb.exe
c:\program files\LimeWire
c:\windows\system32\796525
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\program files\Internet Explorer\setupapi.dll
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-httpclient.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\commons-pool.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\httpcore-nio.jar
c:\program files\LimeWire\lib\httpcore.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\id3v2.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\Mozilla Firefox\setupapi.dll
c:\windows\system32\48.tmp
c:\windows\system32\drivers\62a4ad86.sys
c:\windows\system32\drivers\94ddfa21.sys
c:\windows\system32\drivers\b30c2fcc.sys
c:\windows\system32\qgc715j0e19g .exe
c:\windows\system32\sgc315j0e19g.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-18 16:16 . 2009-01-28 18:47 157144 ----a-w- c:\windows\system32\PubPlugin.dll
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_82E9268439A85DF7929CB5.exe
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_6FEFF9B68218417F98F549.exe
2009-06-18 04:04 . 2009-06-18 04:04 33982 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_3A83AC1B354F6AF3685B54.exe
2009-06-18 04:04 . 2009-06-18 04:04 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{58344DA3-BE43-4B4F-8BF7-7DE69A9CBB77}\_BE590ABD701E2CB21C2EE8.exe
2009-06-18 04:04 . 2009-06-18 04:04 -------- d-----w- c:\program files\NETdecompiler
2009-06-17 01:07 . 2009-06-17 01:07 -------- d-----w- c:\program files\GlobalInfection
2009-06-16 01:52 . 2009-06-16 01:52 -------- d-----w- c:\program files\TeamViewer3
2009-06-16 01:52 . 2009-06-16 01:52 1332528 ----a-w- c:\documents and settings\David's\Application Data\WSS.exe
2009-06-13 11:19 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\David's\Application Data\Mozilla\Firefox\Profiles\l2fjyl7h.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-10 00:33 . 2009-06-10 00:33 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-06-09 22:22 . 2009-06-09 22:22 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-09 22:21 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\ptidle
2009-06-09 19:05 . 2009-06-09 22:21 -------- d-----w- c:\documents and settings\David's\Application Data\GetRightToGo
2009-06-06 16:37 . 2009-06-06 16:37 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-06 16:37 . 2009-06-20 18:28 -------- d-----w- c:\documents and settings\David's\Application Data\skypePM
2009-06-06 16:33 . 2009-06-20 18:28 -------- d-----w- c:\documents and settings\David's\Application Data\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\program files\Common Files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----r- c:\program files\Skype
2009-06-06 16:33 . 2009-06-06 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-06 16:17 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\TSVNCache
2009-06-06 16:17 . 2009-06-06 16:17 -------- d-----w- c:\documents and settings\David's\Application Data\TortoiseSVN
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-06-06 16:14 . 2009-06-06 16:14 -------- d-----w- c:\program files\TortoiseSVN
2009-06-04 01:34 . 2009-06-04 02:03 -------- d-----w- c:\documents and settings\David's\workspace
2009-06-02 22:55 . 2009-06-02 22:55 -------- d-----w- c:\program files\AutoIt3
2009-05-31 12:27 . 2009-05-27 21:46 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-05-31 12:26 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-31 12:26 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-25 15:35 . 2009-05-25 15:39 -------- d-----w- c:\program files\Incomplete
2009-05-24 02:55 . 2009-05-24 02:56 -------- d-----w- c:\documents and settings\David's\Local Settings\Application Data\Google
2009-05-21 22:28 . 2009-05-21 22:28 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 02:24 . 2009-02-15 04:05 -------- d-----w- c:\documents and settings\David's\Application Data\Download Manager
2009-06-12 03:08 . 2008-04-14 06:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-10 20:04 . 2008-12-27 21:27 -------- d-----w- c:\documents and settings\David's\Application Data\FileZilla
2009-06-09 22:21 . 2006-04-07 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:59 . 2009-02-16 22:58 -------- d-----w- c:\documents and settings\David's\Application Data\TeamViewer
2009-06-04 18:31 . 2009-02-24 20:43 -------- d-----w- c:\program files\WeGame
2009-05-31 12:27 . 2009-03-02 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-05-31 03:56 . 2009-03-02 02:45 -------- d-----w- c:\program files\DriftCity
2009-05-25 15:39 . 2008-09-23 19:07 -------- d-----w- c:\documents and settings\David's\Application Data\LimeWire
2009-05-02 13:55 . 2009-01-12 19:20 599560 ----a-w- c:\documents and settings\David's\Application Data\HiYo\Data\hiyo_install.exe
2009-05-02 13:55 . 2008-09-29 22:08 -------- d-----w- c:\program files\MSN Messenger
2009-04-20 00:51 . 2009-04-20 00:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-06 19:32 . 2006-04-07 21:59 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2006-04-07 21:59 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-28 11:48 . 2008-11-20 21:31 34 ----a-w- c:\documents and settings\David's\jagex_runescape_preferences.dat
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe1_B5F7ED63E4D54BE694F0F06A2CCC5374.exe
2009-03-28 00:54 . 2009-03-28 00:54 45056 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\MapleStory.exe_B5F7ED63E4D54BE694F0F06A2CCC5374_1.exe
2009-03-28 00:54 . 2009-03-28 00:54 10134 ----a-r- c:\documents and settings\David's\Application Data\Microsoft\Installer\{B5F7ED63-E4D5-4BE6-94F0-F06A2CCC5374}\ARPPRODUCTICON.exe
2006-04-07 23:28 . 2006-04-07 23:28 308 ----a-w- c:\program files\pkpwbdro.txt
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-23 00:55 . 2008-09-23 00:55 8 --sh--r- c:\windows\system32\96E69B85F0.sys
2009-02-14 21:18 . 2009-02-14 20:54 80 --sh--r- c:\windows\system32\F0859BE696.dll
2008-10-08 02:12 . 2008-10-08 02:12 56 --sh--r- c:\windows\system32\F0859BE696.sys
2006-04-01 00:34 . 2006-01-01 00:34 86528 --sha-w- c:\windows\system32\kenayiba.dll
2008-10-08 02:12 . 2008-09-23 00:55 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2006-03-31 04:01 . 1601-01-01 00:12 51712 --sha-w- c:\windows\system32\kozibala.exe
2006-04-07 12:47 . 2006-01-07 12:47 51712 --sha-w- c:\windows\system32\tepeliju.exe
2006-04-07 12:47 . 2006-01-07 12:47 86528 --sha-w- c:\windows\system32\vuhodoji.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-22 18:41 . 2009-06-20 18:07 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-22 18:41 . 2009-06-03 07:02 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-22 18:41 . 2009-06-20 18:07 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-09-22 18:41 . 2009-06-03 07:02 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-29 19:08 . 2009-06-20 18:07 999424 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-29 19:08 . 2009-06-03 07:02 999424 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-17 01:07 . 2009-06-17 01:07 188478 c:\windows\Installer\{DDE7BDEE-907E-4D47-AF3C-90198C08DA6A}\internet2.exe
+ 2009-06-14 20:25 . 2009-06-14 20:25 101948 c:\windows\.jagex_cache_32\loginapplet\cache--2062608270.dat

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Sat Jun 20, 2009 6:38 pm

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"Google Update"="c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-24 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-01 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 1117184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-07 65536]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\David's\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-30 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\program files\TGTSoft\StyleXP\Logon\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Brother\\ControlCenter3\\BrccMCtl.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57716:TCP"= 57716:TCP:Pando Media Booster
"57716:UDP"= 57716:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 3:44 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3358915607-2701528367-2638856898-1006.job
- c:\documents and settings\David's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 02:55]

2009-06-20 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DAVID-David's).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-01 22:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11)


.
------- Supplementary Scan -------
.
IE: Customize Menu - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-20 14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\proxystubclsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836}\typelib]
@DACL=(02 0000)
@="{E63648F7-3933-440E-B4F6-A8584DD7B7EB}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0]
@DACL=(02 0000)
@="796525 1.0 Type Library"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2116)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\TGTSoft\StyleXP\StyleXPService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\AIM6\aolsoftware.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\anotify.exe
c:\windows\SoftwareDistribution\Download\15fdc8419110b73ae498d2bf87f8bd8a\update\update.exe
.
**************************************************************************
.
Completion time: 2009-06-20 14:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 18:34
ComboFix2.txt 2009-06-12 19:13
ComboFix3.txt 2009-06-12 03:24
ComboFix4.txt 2009-06-10 02:23

Pre-Run: 28,685,307,904 bytes free
Post-Run: 27,636,109,312 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
386 --- E O F --- 2009-04-08 07:00

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Belahzur on Sat Jun 20, 2009 7:51 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware doctor

Post by Pokerking98 on Sat Jun 20, 2009 7:53 pm

Well, its slower then when I started. But, nothing to serious. Thanks guys.

Pokerking98
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2009-06-10
OS OS : XP
Points Points : 27667
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware doctor

Post by Origin on Sun Jun 21, 2009 2:49 pm

Please do a Full Scan in Malwarebytes and post the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum