Trojan and Registry Viruses

View previous topic View next topic Go down

Trojan and Registry Viruses

Post by Misteretc on Tue Jun 15, 2010 9:29 am

Hello, I'm back with new problems on my computer. Over the weekend, I somehow got viruses and trojans on my computer. I ran my anti-virus programs and wasn't able to remove everything and am still having problems. I ran malwarebytes last night and tried to clean it up. Still having issues.

Here's the log from malwarebytes below...


Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4199

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-06-15 5:17:45 AM
mbam-log-2010-06-15 (05-17-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 292788
Time elapsed: 1 hour(s), 15 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Defense Center\Uninstall.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\about.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\activate.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\buy.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\def.db (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\help.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\scan.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\settings.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\splash.mp3 (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\update.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\virus.mp3 (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center\About.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center\Activate.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center\Buy.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center\Defense Center Support.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center\Defense Center.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center\Scan.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center\Settings.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Start Menu\Programs\Defense Center\Update.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Application Data\Microsoft\Internet Explorer\Quick Launch\Defense Center.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Tue Jun 15, 2010 9:33 am

I wasn't able to run OTL because of a time error on it. I was able to run Ice Sword and here are those logs...

Process:

System Idle Process
System
C:\Documents and Settings\Ann\Desktop\The Garrote stuff\IceSword122en\IceSword.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe

and...

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ad-Watch
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HP Software Update
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nitro PDF Printer Monitor
"C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed Launcher
"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe ARM
"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Google Update
"C:\Documents and Settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SUPERAntiSpyware
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Image Zone Fast Start.lnk
C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Remark£º)

C:\Documents and Settings\Ann\Start Menu\Programs\Startup
Adobe Gamma.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Remark£º)

C:\Documents and Settings\Ann\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Ann\Start Menu\Programs\Startup
DING!.lnk
C:\Program Files\Southwest Airlines\Ding\Ding.exe (Remark£º)

C:\Documents and Settings\Ann\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Remark£ºScreen Clipper (Windows+S) and Launcher (Windows+N) for Microsoft Office OneNote.)

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Belahzur on Tue Jun 15, 2010 8:15 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Wed Jun 16, 2010 2:16 am

[You must be registered and logged in to see this link.] wrote:Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

I'm not able to run a complete scan, I get the error message...

'2099/1/1 12:00' is not a valid date and time

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Belahzur on Thu Jun 17, 2010 12:30 am

Hello.
Lets try this.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Thu Jun 17, 2010 2:21 am

Okay that worked, here's the first one...


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ann at 22:19:37.53 on 2010-06-16
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1451 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Outdated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [Google Update] "c:\documents and settings\ann\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\ann\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\ann\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\ann\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - [You must be registered and logged in to see this link.]
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - [You must be registered and logged in to see this link.]
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: Nitro PDF Professional - cscript //B "c:\program files\nitro pdf\professional\RemoveOldAddins.vbs"

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-20 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-14 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-3-28 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-3-28 59664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-18 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-18 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-18 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-3-14 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-18 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-14 112592]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-27 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-1-12 1245064]
S0 jeurec;jeurec;c:\windows\system32\drivers\ipxcubq.sys --> c:\windows\system32\drivers\ipxcubq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-31 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090412.020\NAVENG.SYS [2009-4-11 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090412.020\NAVEX15.SYS [2009-4-11 876144]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-3-14 70408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-3-28 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2010-06-13 16:47:08 0 d-----w- c:\program files\SmartDoctor
2010-06-09 02:01:09 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-22 13:18:05 226728 ----a-r- c:\windows\system32\cpnprt2.cid
2010-05-22 13:18:03 0 d-----w- c:\windows\Cache
2010-05-22 13:18:02 0 d-----w- c:\program files\Coupons

==================== Find3M ====================

2010-06-14 00:19:14 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-08 02:16:01 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21:02 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-05 11:46:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:43:46 30228 ----a-w- c:\windows\fonts\Doctor.ttf
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-15 07:05:09 49152 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010030820100315\index.dat
2010-03-15 09:08:07 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010031520100316\index.dat

============= FINISH: 22:21:01.06 ===============

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Thu Jun 17, 2010 2:22 am

and here's the 2nd one...


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2008-12-29 9:08:16 PM
System Uptime: 2010-06-15 10:06:07 PM (24 hours ago)

Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 1989/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 186 GiB total, 25.457 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 2010-03-27 3:35:40 PM - System Checkpoint
RP2: 2010-03-27 5:32:25 PM - Removed AVG Free 8.5
RP3: 2010-03-27 5:44:38 PM - Avg8 Update
RP4: 2010-03-27 5:46:07 PM - Avg8 Update
RP5: 2010-03-27 6:41:31 PM - Removed AVG Free 8.5
RP6: 2010-03-27 6:50:53 PM - Removed AVG Free 8.5
RP7: 2010-03-28 9:24:41 AM - Removed AVG Free 8.5
RP8: 2010-03-29 9:44:27 AM - System Checkpoint
RP9: 2010-03-30 6:42:17 AM - Installed HiJackThis
RP10: 2010-03-30 9:50:26 PM - Printer Driver Nitro PDF Driver 5 Installed
RP11: 2010-04-01 6:23:37 AM - Software Distribution Service 3.0
RP12: 2010-04-01 9:46:19 PM - Software Distribution Service 3.0
RP13: 2010-04-02 10:35:36 PM - System Checkpoint
RP14: 2010-04-04 12:09:14 AM - System Checkpoint
RP15: 2010-04-05 4:02:46 AM - System Checkpoint
RP16: 2010-04-06 5:57:38 AM - System Checkpoint
RP17: 2010-04-07 8:24:50 AM - System Checkpoint
RP18: 2010-04-08 9:00:55 AM - System Checkpoint
RP19: 2010-04-09 10:00:54 AM - System Checkpoint
RP20: 2010-04-10 12:53:15 PM - System Checkpoint
RP21: 2010-04-11 9:29:18 PM - System Checkpoint
RP22: 2010-04-12 10:16:49 PM - System Checkpoint
RP23: 2010-04-13 10:46:10 PM - System Checkpoint
RP24: 2010-04-14 11:46:11 PM - System Checkpoint
RP25: 2010-04-15 3:00:23 AM - Software Distribution Service 3.0
RP26: 2010-04-16 4:37:20 AM - System Checkpoint
RP27: 2010-04-17 4:40:12 AM - System Checkpoint
RP28: 2010-04-18 5:59:23 AM - System Checkpoint
RP29: 2010-04-19 6:53:24 AM - System Checkpoint
RP30: 2010-04-20 7:53:24 AM - System Checkpoint
RP31: 2010-04-21 9:14:08 AM - System Checkpoint
RP32: 2010-04-22 5:46:30 PM - System Checkpoint
RP33: 2010-04-23 5:53:59 PM - System Checkpoint
RP34: 2010-04-24 6:11:17 PM - System Checkpoint
RP35: 2010-04-25 6:11:23 PM - System Checkpoint
RP36: 2010-04-26 7:11:24 PM - System Checkpoint
RP37: 2010-04-27 8:11:23 PM - System Checkpoint
RP38: 2010-04-28 9:11:24 PM - System Checkpoint
RP39: 2010-04-29 10:11:23 PM - System Checkpoint
RP40: 2010-04-30 11:11:23 PM - System Checkpoint
RP41: 2010-05-02 12:51:20 AM - System Checkpoint
RP42: 2010-05-03 4:41:45 AM - System Checkpoint
RP43: 2010-05-04 4:48:11 AM - System Checkpoint
RP44: 2010-05-05 4:48:41 AM - System Checkpoint
RP45: 2010-05-06 5:11:32 AM - System Checkpoint
RP46: 2010-05-07 6:01:05 AM - System Checkpoint
RP47: 2010-05-08 7:15:05 AM - System Checkpoint
RP48: 2010-05-09 8:01:05 AM - System Checkpoint
RP49: 2010-05-10 9:01:08 AM - System Checkpoint
RP50: 2010-05-11 10:14:38 AM - System Checkpoint
RP51: 2010-05-12 3:00:28 AM - Software Distribution Service 3.0
RP52: 2010-05-13 9:39:43 AM - System Checkpoint
RP53: 2010-05-14 10:01:07 AM - System Checkpoint
RP54: 2010-05-15 11:00:25 AM - System Checkpoint
RP55: 2010-05-16 11:34:44 AM - System Checkpoint
RP56: 2010-05-17 12:08:38 PM - System Checkpoint
RP57: 2010-05-18 1:01:07 PM - System Checkpoint
RP58: 2010-05-19 2:01:07 PM - System Checkpoint
RP59: 2010-05-20 2:15:07 PM - System Checkpoint
RP60: 2010-05-21 3:01:07 PM - System Checkpoint
RP61: 2010-05-22 4:01:07 PM - System Checkpoint
RP62: 2010-05-23 4:29:02 PM - System Checkpoint
RP63: 2010-05-24 5:04:13 PM - System Checkpoint
RP64: 2010-05-25 5:08:47 PM - System Checkpoint
RP65: 2010-05-25 10:16:51 PM - Software Distribution Service 3.0
RP66: 2010-05-26 4:54:40 PM - Installed Adobe Reader 9.3.
RP67: 2010-05-27 5:15:36 PM - System Checkpoint
RP68: 2010-05-28 5:28:39 PM - System Checkpoint
RP69: 2010-05-29 5:47:15 PM - System Checkpoint
RP70: 2010-05-30 6:28:39 PM - System Checkpoint
RP71: 2010-05-31 7:28:39 PM - System Checkpoint
RP72: 2010-06-01 7:29:09 PM - System Checkpoint
RP73: 2010-06-02 8:28:39 PM - System Checkpoint
RP74: 2010-06-03 9:09:23 PM - System Checkpoint
RP75: 2010-06-04 9:22:54 PM - System Checkpoint
RP76: 2010-06-05 10:21:02 PM - System Checkpoint
RP77: 2010-06-06 10:41:08 PM - System Checkpoint
RP78: 2010-06-07 10:42:14 PM - System Checkpoint
RP79: 2010-06-08 11:42:14 PM - System Checkpoint
RP80: 2010-06-09 3:00:29 AM - Software Distribution Service 3.0
RP81: 2010-06-10 5:05:46 AM - System Checkpoint
RP82: 2010-06-11 5:16:36 AM - System Checkpoint
RP83: 2010-06-12 9:37:45 AM - System Checkpoint
RP84: 2010-06-14 12:02:58 AM - System Checkpoint
RP85: 2010-06-15 11:22:21 PM - System Checkpoint

==== Installed Programs ======================

1400
1400_Help
1400Trb
Acrobat.com
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.3.2
Adobe Stock Photos 1.0
AIM 6
AiO_Scan
AiOSoftware
AppCore
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Free 8.5
AVS Audio Converter version 5.1
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.2
Backup
BitZipper 2009
Bonjour
Browser Defender 2.0.6.15
BufferChm
ccCommon
Coupon Printer for Windows
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CustomerResearchQFolder
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DING!
DocProc
DocumentViewer
DocumentViewerQFolder
Driver Detective
DVD Audio Extractor 4.5.0
Elf Bowling Collection
Enhanced Multimedia Keyboard Solution
eSupportQFolder
Fax
FrostWire 4.20.5
FullDPAppQFolder
GearDrvs
GIMP 2.6.3
GoldWave v5.23
Google Chrome
Google Gears
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Product Assistant
HP Product Detection
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
I was an Atomic Mutant
InstallMgr
InstantShareDevices
iTunes
Java(TM) 6 Update 15
Java(TM) 6 Update 7
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Move Media Player
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NewCopy
Nitro PDF Professional
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
OGA Notifier 2.0.0048.0
Paint.NET v3.36
Panda ActiveScan 2.0
PanoStandAlone
PC SpeedScan Pro
PhotoGallery
PowerDVD
ProductContext
QuickTime
RandMap
RAR Password Recovery 5.0
RAR Password Recovery Magic v6.1.1.232
Readme
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI NIC Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Signature Creator 1.12
SkinsHP1
SolutionCenter
Sonic CinePlayer Decoder Pack
Sonic_PrimoSDK
SPBBC 32bit
Spelling Dictionaries Support For Adobe Reader 9
Spyware Doctor 7.0
Status
SUPERAntiSpyware Free Edition
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Help and Support Tool
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vz In Home Agent
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11

==== Event Viewer Messages From Past Week ========

2010-06-13 8:20:12 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2010-06-13 7:16:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2010-06-13 7:16:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM AvgLdx86 AvgMfx86 eeCtrl Fips pavboot SASDIFSV SASKUTIL SPBBCDrv SRTSPX SYMTDI TfFsMon TfSysMon
2010-06-13 3:37:45 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
2010-06-13 3:37:45 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
2010-06-13 11:50:54 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2010-06-13 10:14:39 PM, error: PlugPlayManager [11] - The device Root\LEGACY_PRAGMABDIVNNOSES\0000 disappeared from the system without first being prepared for removal.
2010-06-13 1:05:04 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
2010-06-09 5:01:56 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 001731066BD6 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2010-06-09 3:33:48 AM, error: RemoteAccess [20106] - Unable to add the interface {BA76F912-936B-4CFC-B3FF-F208012F648F} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function.
2010-06-09 3:33:44 AM, error: Service Control Manager [7023] - The Human Interface Device Access service terminated with the following error: The specified module could not be found.
2010-06-09 2:11:32 AM, error: NetDDE [206] - Listen failed: 15:
2010-06-09 2:11:28 AM, error: NetDDE [206] - Listen failed: 23: The ncb_lana_num member did not specify a valid network number.

==== End Of File ===========================

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Belahzur on Thu Jun 17, 2010 1:24 pm

Hello.


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Fri Jun 18, 2010 3:07 am

Okay I did that and here are the results...

23:07:04:359 4308 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
23:07:04:359 4308 ================================================================================
23:07:04:359 4308 SystemInfo:

23:07:04:359 4308 OS Version: 5.1.2600 ServicePack: 3.0
23:07:04:359 4308 Product type: Workstation
23:07:04:359 4308 ComputerName: ANN-A26CF12946F
23:07:04:359 4308 UserName: Ann
23:07:04:359 4308 Windows directory: C:\WINDOWS
23:07:04:359 4308 Processor architecture: Intel x86
23:07:04:359 4308 Number of processors: 1
23:07:04:359 4308 Page size: 0x1000
23:07:04:359 4308 Boot type: Normal boot
23:07:04:359 4308 ================================================================================
23:07:04:359 4308 UnloadDriverW: NtUnloadDriver error 1
23:07:04:359 4308 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
23:07:04:359 4308 LoadDriverW: Driver already loaded
23:07:04:359 4308 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
23:07:04:359 4308 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:07:04:359 4308 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:07:04:359 4308 wfopen_ex: Trying to KLMD file open
23:07:04:375 4308 wfopen_ex: File opened ok (Flags 2)
23:07:04:375 4308 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:07:04:375 4308 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:07:04:375 4308 wfopen_ex: Trying to KLMD file open
23:07:04:375 4308 wfopen_ex: File opened ok (Flags 2)
23:07:04:375 4308 Initialize success
23:07:04:375 4308
23:07:04:375 4308 Scanning Services ...
23:07:04:703 4308 GetAdvancedServicesInfo: Raw services enum returned 390 services
23:07:04:703 4308
23:07:04:703 4308 Scanning Kernel memory ...
23:07:04:703 4308 Devices to scan: 10
23:07:04:703 4308
23:07:04:703 4308 Driver Name: Disk
23:07:04:703 4308 IRP_MJ_CREATE : BA10EBB0
23:07:04:703 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:703 4308 IRP_MJ_CLOSE : BA10EBB0
23:07:04:703 4308 IRP_MJ_READ : BA108D1F
23:07:04:703 4308 IRP_MJ_WRITE : BA108D1F
23:07:04:703 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:703 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:703 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:703 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:703 4308 IRP_MJ_FLUSH_BUFFERS : BA1092E2
23:07:04:703 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:703 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:703 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:703 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:703 4308 IRP_MJ_DEVICE_CONTROL : BA1093BB
23:07:04:703 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
23:07:04:703 4308 IRP_MJ_SHUTDOWN : BA1092E2
23:07:04:703 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:703 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:703 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:703 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:703 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:703 4308 IRP_MJ_POWER : BA10AC82
23:07:04:703 4308 IRP_MJ_SYSTEM_CONTROL : BA10F99E
23:07:04:703 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:703 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:703 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:734 4308 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:07:04:734 4308
23:07:04:734 4308 Driver Name: Disk
23:07:04:734 4308 IRP_MJ_CREATE : BA10EBB0
23:07:04:734 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:734 4308 IRP_MJ_CLOSE : BA10EBB0
23:07:04:734 4308 IRP_MJ_READ : BA108D1F
23:07:04:734 4308 IRP_MJ_WRITE : BA108D1F
23:07:04:734 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:734 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:734 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:734 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:734 4308 IRP_MJ_FLUSH_BUFFERS : BA1092E2
23:07:04:734 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:734 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:734 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:734 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:734 4308 IRP_MJ_DEVICE_CONTROL : BA1093BB
23:07:04:734 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
23:07:04:734 4308 IRP_MJ_SHUTDOWN : BA1092E2
23:07:04:734 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:734 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:734 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:734 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:734 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:734 4308 IRP_MJ_POWER : BA10AC82
23:07:04:734 4308 IRP_MJ_SYSTEM_CONTROL : BA10F99E
23:07:04:734 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:734 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:734 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:750 4308 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:07:04:750 4308
23:07:04:750 4308 Driver Name: Disk
23:07:04:750 4308 IRP_MJ_CREATE : BA10EBB0
23:07:04:750 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:750 4308 IRP_MJ_CLOSE : BA10EBB0
23:07:04:750 4308 IRP_MJ_READ : BA108D1F
23:07:04:750 4308 IRP_MJ_WRITE : BA108D1F
23:07:04:750 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:750 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:750 4308 IRP_MJ_FLUSH_BUFFERS : BA1092E2
23:07:04:750 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_DEVICE_CONTROL : BA1093BB
23:07:04:750 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
23:07:04:750 4308 IRP_MJ_SHUTDOWN : BA1092E2
23:07:04:750 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:750 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:750 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:750 4308 IRP_MJ_POWER : BA10AC82
23:07:04:750 4308 IRP_MJ_SYSTEM_CONTROL : BA10F99E
23:07:04:750 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:750 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:750 4308 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:07:04:750 4308
23:07:04:750 4308 Driver Name: Disk
23:07:04:750 4308 IRP_MJ_CREATE : BA10EBB0
23:07:04:750 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:750 4308 IRP_MJ_CLOSE : BA10EBB0
23:07:04:750 4308 IRP_MJ_READ : BA108D1F
23:07:04:750 4308 IRP_MJ_WRITE : BA108D1F
23:07:04:750 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:750 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:750 4308 IRP_MJ_FLUSH_BUFFERS : BA1092E2
23:07:04:750 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_DEVICE_CONTROL : BA1093BB
23:07:04:750 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
23:07:04:750 4308 IRP_MJ_SHUTDOWN : BA1092E2
23:07:04:750 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:750 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:750 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:750 4308 IRP_MJ_POWER : BA10AC82
23:07:04:750 4308 IRP_MJ_SYSTEM_CONTROL : BA10F99E
23:07:04:750 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:750 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:750 4308 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:07:04:750 4308
23:07:04:750 4308 Driver Name: usbstor
23:07:04:750 4308 IRP_MJ_CREATE : B45CE218
23:07:04:750 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:750 4308 IRP_MJ_CLOSE : B45CE218
23:07:04:750 4308 IRP_MJ_READ : B45CE23C
23:07:04:750 4308 IRP_MJ_WRITE : B45CE23C
23:07:04:750 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:750 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:750 4308 IRP_MJ_FLUSH_BUFFERS : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:750 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_DEVICE_CONTROL : B45CE180
23:07:04:750 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : B45C99E6
23:07:04:750 4308 IRP_MJ_SHUTDOWN : 804F355A
23:07:04:750 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:750 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:750 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:750 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:750 4308 IRP_MJ_POWER : B45CD5F0
23:07:04:750 4308 IRP_MJ_SYSTEM_CONTROL : B45CBA6E
23:07:04:750 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:750 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:750 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:765 4308 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:07:04:765 4308
23:07:04:765 4308 Driver Name: usbstor
23:07:04:765 4308 IRP_MJ_CREATE : B45CE218
23:07:04:765 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:765 4308 IRP_MJ_CLOSE : B45CE218
23:07:04:765 4308 IRP_MJ_READ : B45CE23C
23:07:04:765 4308 IRP_MJ_WRITE : B45CE23C
23:07:04:765 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:765 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:765 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:765 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:765 4308 IRP_MJ_FLUSH_BUFFERS : 804F355A
23:07:04:765 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:765 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:765 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:765 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:765 4308 IRP_MJ_DEVICE_CONTROL : B45CE180
23:07:04:765 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : B45C99E6
23:07:04:765 4308 IRP_MJ_SHUTDOWN : 804F355A
23:07:04:765 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:765 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:765 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:765 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:765 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:765 4308 IRP_MJ_POWER : B45CD5F0
23:07:04:765 4308 IRP_MJ_SYSTEM_CONTROL : B45CBA6E
23:07:04:765 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:765 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:765 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:781 4308 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:07:04:781 4308
23:07:04:781 4308 Driver Name: usbstor
23:07:04:781 4308 IRP_MJ_CREATE : B45CE218
23:07:04:781 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:781 4308 IRP_MJ_CLOSE : B45CE218
23:07:04:781 4308 IRP_MJ_READ : B45CE23C
23:07:04:781 4308 IRP_MJ_WRITE : B45CE23C
23:07:04:781 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:781 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:781 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:781 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:781 4308 IRP_MJ_FLUSH_BUFFERS : 804F355A
23:07:04:781 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:781 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:781 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:781 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:781 4308 IRP_MJ_DEVICE_CONTROL : B45CE180
23:07:04:781 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : B45C99E6
23:07:04:781 4308 IRP_MJ_SHUTDOWN : 804F355A
23:07:04:781 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:781 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:781 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:781 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:781 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:781 4308 IRP_MJ_POWER : B45CD5F0
23:07:04:781 4308 IRP_MJ_SYSTEM_CONTROL : B45CBA6E
23:07:04:781 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:781 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:781 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:781 4308 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:07:04:781 4308
23:07:04:781 4308 Driver Name: usbstor
23:07:04:781 4308 IRP_MJ_CREATE : B45CE218
23:07:04:781 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:781 4308 IRP_MJ_CLOSE : B45CE218
23:07:04:781 4308 IRP_MJ_READ : B45CE23C
23:07:04:781 4308 IRP_MJ_WRITE : B45CE23C
23:07:04:781 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:781 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:781 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:781 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:781 4308 IRP_MJ_FLUSH_BUFFERS : 804F355A
23:07:04:781 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:781 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:781 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:781 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:781 4308 IRP_MJ_DEVICE_CONTROL : B45CE180
23:07:04:781 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : B45C99E6
23:07:04:781 4308 IRP_MJ_SHUTDOWN : 804F355A
23:07:04:781 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:781 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:781 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:781 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:781 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:781 4308 IRP_MJ_POWER : B45CD5F0
23:07:04:781 4308 IRP_MJ_SYSTEM_CONTROL : B45CBA6E
23:07:04:781 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:781 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:781 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:781 4308 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:07:04:781 4308
23:07:04:781 4308 Driver Name: Disk
23:07:04:796 4308 IRP_MJ_CREATE : BA10EBB0
23:07:04:796 4308 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
23:07:04:796 4308 IRP_MJ_CLOSE : BA10EBB0
23:07:04:796 4308 IRP_MJ_READ : BA108D1F
23:07:04:796 4308 IRP_MJ_WRITE : BA108D1F
23:07:04:796 4308 IRP_MJ_QUERY_INFORMATION : 804F355A
23:07:04:796 4308 IRP_MJ_SET_INFORMATION : 804F355A
23:07:04:796 4308 IRP_MJ_QUERY_EA : 804F355A
23:07:04:796 4308 IRP_MJ_SET_EA : 804F355A
23:07:04:796 4308 IRP_MJ_FLUSH_BUFFERS : BA1092E2
23:07:04:796 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
23:07:04:796 4308 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
23:07:04:796 4308 IRP_MJ_DIRECTORY_CONTROL : 804F355A
23:07:04:796 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
23:07:04:796 4308 IRP_MJ_DEVICE_CONTROL : BA1093BB
23:07:04:796 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
23:07:04:796 4308 IRP_MJ_SHUTDOWN : BA1092E2
23:07:04:796 4308 IRP_MJ_LOCK_CONTROL : 804F355A
23:07:04:796 4308 IRP_MJ_CLEANUP : 804F355A
23:07:04:796 4308 IRP_MJ_CREATE_MAILSLOT : 804F355A
23:07:04:796 4308 IRP_MJ_QUERY_SECURITY : 804F355A
23:07:04:796 4308 IRP_MJ_SET_SECURITY : 804F355A
23:07:04:796 4308 IRP_MJ_POWER : BA10AC82
23:07:04:796 4308 IRP_MJ_SYSTEM_CONTROL : BA10F99E
23:07:04:796 4308 IRP_MJ_DEVICE_CHANGE : 804F355A
23:07:04:796 4308 IRP_MJ_QUERY_QUOTA : 804F355A
23:07:04:796 4308 IRP_MJ_SET_QUOTA : 804F355A
23:07:04:796 4308 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:07:04:796 4308
23:07:04:796 4308 Driver Name: atapi
23:07:04:796 4308 IRP_MJ_CREATE : 8A517EC5
23:07:04:796 4308 IRP_MJ_CREATE_NAMED_PIPE : 8A517EC5
23:07:04:796 4308 IRP_MJ_CLOSE : 8A517EC5
23:07:04:796 4308 IRP_MJ_READ : 8A517EC5
23:07:04:796 4308 IRP_MJ_WRITE : 8A517EC5
23:07:04:796 4308 IRP_MJ_QUERY_INFORMATION : 8A517EC5
23:07:04:796 4308 IRP_MJ_SET_INFORMATION : 8A517EC5
23:07:04:796 4308 IRP_MJ_QUERY_EA : 8A517EC5
23:07:04:796 4308 IRP_MJ_SET_EA : 8A517EC5
23:07:04:796 4308 IRP_MJ_FLUSH_BUFFERS : 8A517EC5
23:07:04:796 4308 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A517EC5
23:07:04:796 4308 IRP_MJ_SET_VOLUME_INFORMATION : 8A517EC5
23:07:04:796 4308 IRP_MJ_DIRECTORY_CONTROL : 8A517EC5
23:07:04:796 4308 IRP_MJ_FILE_SYSTEM_CONTROL : 8A517EC5
23:07:04:796 4308 IRP_MJ_DEVICE_CONTROL : 8A517EC5
23:07:04:796 4308 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A517EC5
23:07:04:796 4308 IRP_MJ_SHUTDOWN : 8A517EC5
23:07:04:796 4308 IRP_MJ_LOCK_CONTROL : 8A517EC5
23:07:04:796 4308 IRP_MJ_CLEANUP : 8A517EC5
23:07:04:796 4308 IRP_MJ_CREATE_MAILSLOT : 8A517EC5
23:07:04:796 4308 IRP_MJ_QUERY_SECURITY : 8A517EC5
23:07:04:796 4308 IRP_MJ_SET_SECURITY : 8A517EC5
23:07:04:796 4308 IRP_MJ_POWER : 8A517EC5
23:07:04:796 4308 IRP_MJ_SYSTEM_CONTROL : 8A517EC5
23:07:04:796 4308 IRP_MJ_DEVICE_CHANGE : 8A517EC5
23:07:04:796 4308 IRP_MJ_QUERY_QUOTA : 8A517EC5
23:07:04:796 4308 IRP_MJ_SET_QUOTA : 8A517EC5
23:07:04:796 4308 Driver "atapi" infected by TDSS rootkit!
23:07:04:796 4308 C:\WINDOWS\system32\drivers\tsk185.tmp - Verdict: 3
23:07:04:796 4308
23:07:04:796 4308 Completed
23:07:04:796 4308
23:07:04:796 4308 Results:
23:07:04:796 4308 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
23:07:04:796 4308 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:07:04:796 4308 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:07:04:796 4308
23:07:04:796 4308 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:07:04:796 4308 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:07:04:796 4308 UnloadDriverW: NtUnloadDriver error 1
23:07:04:796 4308 KLMD_Unload: UnloadDriverW(klmd21) error 1
23:07:04:796 4308 KLMD(ARK) unloaded successfully

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Belahzur on Fri Jun 18, 2010 11:51 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Sat Jun 19, 2010 3:29 am

Okay, I've done that and here's the log...

ComboFix 10-06-17.03 - Ann 2010-06-18 22:58:59.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1928 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.scr
Command switches used :: /S
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Outdated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com
c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\DRIVERS\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 02:53 . 2008-04-14 12:00 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2010-06-19 02:53 . 2008-04-14 12:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-06-13 16:47 . 2010-06-13 16:47 -------- d-----w- c:\program files\SmartDoctor
2010-06-09 02:01 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-22 13:18 . 2010-05-22 13:18 -------- d-----w- c:\windows\Cache
2010-05-22 13:18 . 2010-05-22 13:18 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 03:14 . 2009-01-13 00:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-19 03:13 . 2009-01-17 16:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-19 02:57 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-14 21:15 . 2008-12-30 02:23 43416 ----a-w- c:\documents and settings\Ann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 21:12 . 2009-01-13 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-09 07:13 . 2009-01-13 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 02:16 . 2010-03-14 15:26 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21 . 2010-03-14 15:26 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-05 11:46 . 2009-01-20 22:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-26 20:54 . 2009-01-13 03:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-26 02:16 . 2010-04-28 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-09 02:22 . 2010-05-09 02:22 -------- d-----w- c:\program files\ErstenWare
2010-05-07 02:01 . 2010-03-28 11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 22:26 . 2009-01-17 14:44 -------- d-----w- c:\documents and settings\Ann\Application Data\FrostWire
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-03-31 02:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-31 02:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-31 23:30 . 2010-02-12 11:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
.
Code:
<pre>
c:\program files\AIM6\aim6 .exe
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lavasoft\Ad-Aware\aawtray .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\defmgr .exe
c:\program files\Nitro PDF\Professional\nitropdfprintermonitor .exe
c:\program files\Norton 360\oscheck .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spyware Doctor\pctstray .exe
c:\program files\Verizon\mccitrayapp .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-29 2012912]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-30 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\Ann\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCSVCHST.EXE"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-20 6:21 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 5:17 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-14 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-03-28 6:58 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-03-28 6:58 AM 59664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-03-14 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-03-14 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1352832]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 3:37 PM 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-02-27 1:55 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 8:11 PM 101936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 jeurec;jeurec;c:\windows\system32\drivers\ipxcubq.sys --> c:\windows\system32\drivers\ipxcubq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 9:54 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-03-14 70408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-03-28 6:58 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
[N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:17]

2010-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-18 23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1076)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3400)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\netdde.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-06-18 23:25:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 03:25

Pre-Run: 27,193,786,368 bytes free
Post-Run: 28,182,286,336 bytes free

- - End Of File - - 60E65716B8AE8AA06BCF8AD3A7EFE782

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Belahzur on Sat Jun 19, 2010 4:38 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    Folder::
    c:\program files\Coupons

    RenV::
    c:\program files\AIM6\aim6 .exe
    c:\program files\ATI Technologies\ATI.ACE\cli .exe
    c:\program files\Common Files\Symantec Shared\ccapp .exe
    c:\program files\CyberLink\PowerDVD\pdvdserv .exe
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\Lavasoft\Ad-Aware\aawtray .exe
    c:\program files\Microsoft\Search Enhancement Pack\Default Manager\defmgr .exe
    c:\program files\Nitro PDF\Professional\nitropdfprintermonitor .exe
    c:\program files\Norton 360\oscheck .exe
    c:\program files\QuickTime\qttask .exe
    c:\program files\Spyware Doctor\pctstray .exe
    c:\program files\Verizon\mccitrayapp .exe

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Sat Jun 26, 2010 8:56 pm

Okay I did that and here are the results...

ComboFix 10-06-26.02 - Ann 2010-06-26 16:45:10.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1876 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.scr
Command switches used :: /S
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Outdated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-26 19:23 . 2010-06-26 19:23 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb9E.tmp.exe
2010-06-19 02:53 . 2008-04-14 12:00 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2010-06-19 02:53 . 2008-04-14 12:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-06-13 16:47 . 2010-06-13 16:47 -------- d-----w- c:\program files\SmartDoctor
2010-06-09 02:01 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 20:40 . 2009-01-17 16:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-26 18:50 . 2009-01-13 00:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-19 12:28 . 2010-04-01 08:52 117760 ----a-w- c:\documents and settings\Ann\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-19 02:57 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-14 21:15 . 2008-12-30 02:23 43416 ----a-w- c:\documents and settings\Ann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 21:12 . 2009-01-13 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-09 07:13 . 2009-01-13 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 02:16 . 2010-03-14 15:26 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21 . 2010-03-14 15:26 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-05 11:46 . 2009-01-20 22:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-26 20:54 . 2009-01-13 03:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-26 02:16 . 2010-04-28 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-22 13:18 . 2010-05-22 13:18 -------- d-----w- c:\program files\Coupons
2010-05-09 02:22 . 2010-05-09 02:22 -------- d-----w- c:\program files\ErstenWare
2010-05-07 02:01 . 2010-03-28 11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 22:26 . 2009-01-17 14:44 -------- d-----w- c:\documents and settings\Ann\Application Data\FrostWire
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-03-31 02:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-31 02:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 17:39 . 2010-04-28 22:27 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-01 08:52 . 2010-04-01 08:52 52224 ----a-w- c:\documents and settings\Ann\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-31 23:30 . 2010-02-12 11:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-30 10:42 . 2010-03-30 10:42 388096 ----a-r- c:\documents and settings\Ann\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
.
Code:
<pre>
c:\program files\AIM6\aim6 .exe
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lavasoft\Ad-Aware\aawtray .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\defmgr .exe
c:\program files\Nitro PDF\Professional\nitropdfprintermonitor .exe
c:\program files\Norton 360\oscheck .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spyware Doctor\pctstray .exe
c:\program files\Verizon\mccitrayapp .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-29 2012912]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\Ann\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCSVCHST.EXE"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-20 6:21 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 5:17 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-14 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-03-28 6:58 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-03-28 6:58 AM 59664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-03-14 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-03-14 112592]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 3:37 PM 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-02-27 1:55 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 8:11 PM 101936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 jeurec;jeurec;c:\windows\system32\drivers\ipxcubq.sys --> c:\windows\system32\drivers\ipxcubq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 9:54 AM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1352832]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-03-14 70408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-03-28 6:58 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
[N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:17]

2010-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-26 16:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1072)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3820)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-26 16:53:37
ComboFix-quarantined-files.txt 2010-06-26 20:53
ComboFix2.txt 2010-06-19 03:25

Pre-Run: 28,503,969,792 bytes free
Post-Run: 28,498,862,080 bytes free

- - End Of File - - 7F251C874D52A2009ACD3C8FA2BD330F

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Belahzur on Sun Jun 27, 2010 10:57 pm

Hello.
Please delete your copy of Combofix and re-download it, then try the script again, it didn't work right the first time for some reason.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Mon Jun 28, 2010 12:47 am

Okay I did that and here is the new log...

ComboFix 10-06-27.03 - Ann 2010-06-27 20:25:36.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1598 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\Combo Fix\ComboFix.exe
Command switches used :: c:\documents and settings\Ann\Desktop\Combo Fix\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Outdated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coupons
c:\program files\Coupons\Coupons.ico
c:\program files\Coupons\CouponsDotCom.url
c:\program files\Coupons\uninstall.exe
c:\program files\Coupons\Uninstall\IRIMG1.JPG
c:\program files\Coupons\Uninstall\IRIMG2.JPG
c:\program files\Coupons\Uninstall\IRIMG3.JPG
c:\program files\Coupons\Uninstall\IRIMG4.JPG
c:\program files\Coupons\Uninstall\IRIMG5.JPG
c:\program files\Coupons\Uninstall\IRIMG6.JPG
c:\program files\Coupons\Uninstall\IRIMG7.JPG
c:\program files\Coupons\Uninstall\IRIMG8.JPG
c:\program files\Coupons\Uninstall\uninstall.dat
c:\program files\Coupons\Uninstall\uninstall.xml

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-19 02:53 . 2008-04-14 12:00 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2010-06-19 02:53 . 2008-04-14 12:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-06-13 16:47 . 2010-06-13 16:47 -------- d-----w- c:\program files\SmartDoctor
2010-06-09 02:01 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 00:37 . 2009-01-13 00:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-28 00:33 . 2009-01-17 16:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-28 00:25 . 2009-09-19 18:41 -------- d-----w- c:\program files\Verizon
2010-06-28 00:25 . 2009-01-17 16:19 -------- d-----w- c:\program files\Spyware Doctor
2010-06-28 00:25 . 2009-06-10 20:37 -------- d-----w- c:\program files\QuickTime
2010-06-28 00:25 . 2009-06-10 20:42 -------- d-----w- c:\program files\iTunes
2010-06-28 00:25 . 2009-02-27 17:54 -------- d-----w- c:\program files\AIM6
2010-06-26 19:23 . 2010-06-26 19:23 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb9E.tmp.exe
2010-06-19 12:28 . 2010-04-01 08:52 117760 ----a-w- c:\documents and settings\Ann\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-19 02:57 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-14 21:15 . 2008-12-30 02:23 43416 ----a-w- c:\documents and settings\Ann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 21:12 . 2009-01-13 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-09 07:13 . 2009-01-13 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 02:16 . 2010-03-14 15:26 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21 . 2010-03-14 15:26 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-05 11:46 . 2009-01-20 22:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-26 20:54 . 2009-01-13 03:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-26 02:16 . 2010-04-28 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-09 02:22 . 2010-05-09 02:22 -------- d-----w- c:\program files\ErstenWare
2010-05-07 02:01 . 2010-03-28 11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 22:26 . 2009-01-17 14:44 -------- d-----w- c:\documents and settings\Ann\Application Data\FrostWire
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-03-31 02:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-31 02:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 17:39 . 2010-04-28 22:27 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-01 08:52 . 2010-04-01 08:52 52224 ----a-w- c:\documents and settings\Ann\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-31 23:30 . 2010-02-12 11:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-03-30 10:42 . 2010-03-30 10:42 388096 ----a-r- c:\documents and settings\Ann\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
.
Code:
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Lavasoft\Ad-Aware\aawtray .exe
c:\program files\Norton 360\oscheck .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-29 2012912]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\Ann\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCSVCHST.EXE"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-20 6:21 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 5:17 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-14 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-03-28 6:58 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-03-28 6:58 AM 59664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-03-14 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-03-14 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1352832]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 3:37 PM 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-02-27 1:55 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 8:11 PM 101936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 jeurec;jeurec;c:\windows\system32\drivers\ipxcubq.sys --> c:\windows\system32\drivers\ipxcubq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 9:54 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-03-14 70408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-03-28 6:58 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
[N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:17]

2010-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Coupon Printer for Windows5.0.0.0 - c:\program files\Coupons\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-27 20:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1076)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3544)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\netdde.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2010-06-27 20:45:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-28 00:45
ComboFix2.txt 2010-06-26 20:53
ComboFix3.txt 2010-06-19 03:25

Pre-Run: 28,320,342,016 bytes free
Post-Run: 28,356,046,848 bytes free

- - End Of File - - 70C7A22DA63EBEDE6459183B9B96D7AC

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Belahzur on Mon Jun 28, 2010 8:03 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    RenV::
    c:\program files\Common Files\Symantec Shared\ccapp .exe
    c:\program files\Lavasoft\Ad-Aware\aawtray .exe
    c:\program files\Norton 360\oscheck .exe

    Driver::
    jeurec
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Misteretc on Tue Jun 29, 2010 9:27 am

Okay I've done that and here were the results...

ComboFix 10-06-27.06 - Ann 2010-06-28 23:37:46.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1654 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\Combo Fix\ComboFix.exe
Command switches used :: c:\documents and settings\Ann\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Outdated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_jeurec


((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-19 02:53 . 2008-04-14 12:00 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2010-06-19 02:53 . 2008-04-14 12:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-06-13 16:47 . 2010-06-13 16:47 -------- d-----w- c:\program files\SmartDoctor
2010-06-09 02:01 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 03:47 . 2009-01-13 00:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-29 03:46 . 2009-01-17 16:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-29 03:45 . 2009-01-13 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-28 00:25 . 2009-09-19 18:41 -------- d-----w- c:\program files\Verizon
2010-06-28 00:25 . 2009-01-17 16:19 -------- d-----w- c:\program files\Spyware Doctor
2010-06-28 00:25 . 2009-06-10 20:37 -------- d-----w- c:\program files\QuickTime
2010-06-28 00:25 . 2009-06-10 20:42 -------- d-----w- c:\program files\iTunes
2010-06-28 00:25 . 2009-02-27 17:54 -------- d-----w- c:\program files\AIM6
2010-06-26 19:23 . 2010-06-26 19:23 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb9E.tmp.exe
2010-06-19 12:28 . 2010-04-01 08:52 117760 ----a-w- c:\documents and settings\Ann\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-19 02:57 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-14 21:15 . 2008-12-30 02:23 43416 ----a-w- c:\documents and settings\Ann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-09 07:13 . 2009-01-13 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 02:16 . 2010-03-14 15:26 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21 . 2010-03-14 15:26 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-05 11:46 . 2009-01-20 22:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-26 20:54 . 2009-01-13 03:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-26 02:16 . 2010-04-28 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-09 02:22 . 2010-05-09 02:22 -------- d-----w- c:\program files\ErstenWare
2010-05-07 02:01 . 2010-03-28 11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 22:26 . 2009-01-17 14:44 -------- d-----w- c:\documents and settings\Ann\Application Data\FrostWire
2010-05-06 10:41 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-03-31 02:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-31 02:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 17:39 . 2010-04-28 22:27 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-04-01 08:52 . 2010-04-01 08:52 52224 ----a-w- c:\documents and settings\Ann\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-31 23:30 . 2010-02-12 11:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
.
Code:
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Lavasoft\Ad-Aware\aawtray .exe
c:\program files\Norton 360\oscheck .exe
</pre>

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-29 03:46 . 2010-06-29 03:46 16384 c:\windows\temp\Perflib_Perfdata_7ac.dat
+ 2010-06-28 00:32 . 2010-06-28 00:32 16384 c:\windows\temp\Perflib_Perfdata_7a4.dat
+ 2010-06-29 03:46 . 2010-06-29 03:46 16384 c:\windows\temp\Perflib_Perfdata_410.dat
+ 2010-03-31 04:16 . 2010-03-31 04:16 99176 c:\windows\system32\PresentationHostProxy.dll
- 2008-04-14 12:00 . 2010-06-09 07:06 71264 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-06-27 07:02 71264 c:\windows\system32\perfc009.dat
+ 2009-11-07 05:07 . 2009-11-07 05:07 49488 c:\windows\system32\netfxperf.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13688 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13696 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13672 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2009-11-07 05:07 . 2009-11-07 05:07 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2010-06-27 07:07 . 2010-06-27 07:07 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ea1b4fbde0e772748c6ac42d627cf684\UIAutomationProvider.ni.dll
+ 2010-06-27 07:08 . 2010-06-27 07:08 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\f46915dfc57bc7e49c5402e9b8f7ec18\System.Windows.Presentation.ni.dll
+ 2010-06-27 07:05 . 2010-06-27 07:05 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\18729514178d458aa1225dd068718d4e\PresentationFontCache.ni.exe
+ 2010-06-27 07:04 . 2010-06-27 07:04 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\0375dfa28e2f6ef7e89df9edede4b83d\PresentationCFFRasterizer.ni.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2010-06-09 07:06 . 2010-06-09 07:06 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-03-31 04:10 . 2010-03-31 04:10 295264 c:\windows\system32\PresentationHost.exe
+ 2008-04-14 12:00 . 2010-06-27 07:02 441454 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-06-09 07:06 441454 c:\windows\system32\perfh009.dat
+ 2009-11-07 05:07 . 2009-11-07 05:07 297808 c:\windows\system32\mscoree.dll
+ 2010-03-31 04:16 . 2010-03-31 04:16 130408 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationHostDLL.dll
+ 2010-06-27 07:07 . 2010-06-27 07:07 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\b3a9fac9aea3ad913781fafbdcbb0cae\WindowsFormsIntegration.ni.dll
+ 2010-06-27 07:06 . 2010-06-27 07:06 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\4131a3627fec69291dbaed236f30dc65\UIAutomationClient.ni.dll
+ 2010-06-27 07:06 . 2010-06-27 07:06 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a10c2c7e38291c3ada631ad13e762818\PresentationFramework.Aero.ni.dll
+ 2010-06-27 07:06 . 2010-06-27 07:06 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7579c76fa81eb309d3170b62467be58d\PresentationFramework.Luna.ni.dll
+ 2010-06-27 07:06 . 2010-06-27 07:06 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bef0992fb684e71dbfab5c0a99316af\PresentationFramework.Classic.ni.dll
+ 2010-06-27 07:06 . 2010-06-27 07:06 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2f6687d394813d760496f60acf046384\PresentationFramework.Royale.ni.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 749568 c:\windows\assembly\GAC_MSIL\Microsoft.Jscript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Jscript.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 749568 c:\windows\assembly\GAC_MSIL\Microsoft.Jscript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Jscript.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-11-07 05:06 . 2009-11-07 05:06 1130824 c:\windows\system32\dfshim.dll
+ 2009-11-09 04:25 . 2009-11-09 04:25 1935360 c:\windows\Installer\29ded7e.msp
+ 2010-06-27 07:04 . 2010-06-27 07:04 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d63164ac4ed5adabc6a1b0fdf07eee05\WindowsBase.ni.dll
+ 2010-06-27 07:07 . 2010-06-27 07:07 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\d8549ce90b26cdc3071224ab6f020189\UIAutomationClientsideProviders.ni.dll
+ 2010-06-27 07:06 . 2010-06-27 07:06 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\af217ef58e5558991f331d482c2bdba6\System.Printing.ni.dll
+ 2010-06-27 07:06 . 2010-06-27 07:06 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\57abb757c1f38586390dcc63bf056322\ReachFramework.ni.dll
+ 2010-06-27 07:06 . 2010-06-27 07:06 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\0095ba60255d4addaf5b8ebee697a027\PresentationUI.ni.dll
+ 2010-06-27 07:03 . 2010-06-27 07:03 1249280 c:\windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-06-27 07:03 . 2010-06-27 07:03 5279744 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-08-07 07:08 . 2009-08-07 07:08 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2010-06-27 07:03 . 2010-06-27 07:03 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2010-06-27 07:02 . 2010-06-27 07:02 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2010-06-09 07:06 . 2010-06-09 07:06 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-03-31 05:23 . 2010-03-31 05:23 15638528 c:\windows\Installer\29ded8a.msp
+ 2010-06-27 07:06 . 2010-06-27 07:06 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\560662ada034afb6ec78a152bd9a47b5\PresentationFramework.ni.dll
+ 2010-06-27 07:05 . 2010-06-27 07:05 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\9f5dff344ac6ac923b5ade8ba1ab9382\PresentationCore.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-29 2012912]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\Ann\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCSVCHST.EXE"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-20 6:21 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 5:17 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-14 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-03-28 6:58 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-03-28 6:58 AM 59664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-03-14 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-03-14 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1352832]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 3:37 PM 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-02-27 1:55 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 8:11 PM 101936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 9:54 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-03-14 70408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-03-28 6:58 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
[N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:17]

2010-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-29 05:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1076)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3844)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\netdde.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2010-06-29 05:09:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-29 09:09
ComboFix2.txt 2010-06-28 00:45
ComboFix3.txt 2010-06-26 20:53
ComboFix4.txt 2010-06-19 03:25

Pre-Run: 28,515,688,448 bytes free
Post-Run: 28,496,277,504 bytes free

- - End Of File - - 8744152A13EF3B6B0EE424ECB8CE91CD

Misteretc
Intermediate
Intermediate

Posts Posts : 113
Joined Joined : 2010-03-14
Gender Gender : Male
OS OS : Microsoft Windows XP
Points Points : 26352
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan and Registry Viruses

Post by Belahzur on Tue Jun 29, 2010 5:43 pm

Hello.
The malware has damaged some files.

You are running two antivirus', I see from the uninstall list you have Norton installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Norton to avoid conflict and other future problems.

Completely Uninstall Norton software using:

Instructions

  1. Please download and save SymNRT.exe to your desktop.
  2. Close all programs and double click on the tool.
  3. Follow the on-screen instructions.
  4. Restart the computer if asked.
  5. Then delete the SymNRT.exe tool from your desktop.
  6. Open the Program Files folder on your local disk ( normally C: )
  7. Find and delete the following folders (if present):

    • Norton AntiVirus
    • Norton Internet Security
    • Norton SystemWorks
    • Norton Personal Firewall


Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ad-Aware
    FrostWire 4.20.5
    Java(TM) 6 Update 15
    Java(TM) 6 Update 7
    LiveUpdate (Symantec Corporation)



Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum