the txt

View previous topic View next topic Go down

the txt

Post by hamadakaki on 19th June 2010, 9:31 am

ComboFix 10-06-18.03 - Administrator 06/19/2010 12:17:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.988.595 [GMT 3:00]
Running from: c:\documents and settings\Administrator\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Icons
c:\windows\system32\Icons\00.ICO
c:\windows\system32\Icons\08.ICO
c:\windows\system32\Icons\16.ICO
c:\windows\system32\Icons\25.ICO
c:\windows\system32\Icons\33.ICO
c:\windows\system32\Icons\41.ICO
c:\windows\system32\Icons\50.ICO
c:\windows\system32\Icons\58.ICO
c:\windows\system32\Icons\67.ICO
c:\windows\system32\Icons\75.ICO
c:\windows\system32\Icons\83.ICO
c:\windows\system32\Icons\92.ICO
c:\windows\system32\Icons\99.ICO
c:\windows\system32\Icons\R00.ICO
c:\windows\system32\Icons\R08.ICO
c:\windows\system32\Icons\R16.ICO
c:\windows\system32\Icons\R25.ICO
c:\windows\system32\Icons\R33.ICO
c:\windows\system32\Icons\R41.ICO
c:\windows\system32\Icons\R50.ICO
c:\windows\system32\Icons\R58.ICO
c:\windows\system32\Icons\R67.ICO
c:\windows\system32\Icons\R75.ICO
c:\windows\system32\Icons\R83.ICO
c:\windows\system32\Icons\R92.ICO
c:\windows\system32\Icons\R99.ICO
c:\windows\system32\Icons\S08.ICO
c:\windows\system32\Icons\S16.ICO
c:\windows\system32\Icons\S25.ICO
c:\windows\system32\Icons\S33.ICO
c:\windows\system32\Icons\S41.ICO
c:\windows\system32\Icons\S50.ICO
c:\windows\system32\Icons\S58.ICO
c:\windows\system32\Icons\S67.ICO
c:\windows\system32\Icons\S75.ICO
c:\windows\system32\Icons\S83.ICO
c:\windows\system32\Icons\S92.ICO
c:\windows\system32\Icons\S99.ICO
c:\windows\system32\systeminfo.dll

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 06:05 . 2010-06-19 06:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-19 06:05 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-19 06:05 . 2010-06-19 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 06:05 . 2010-06-19 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-19 06:05 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 00:00 . 2010-06-19 08:44 -------- d-----w- c:\windows\system32\NtmsData
2010-06-17 23:58 . 2010-06-17 23:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2010-06-17 23:51 . 2010-06-17 23:47 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-17 23:51 . 2010-06-17 23:47 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-17 23:51 . 2010-06-17 23:47 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-17 23:51 . 2010-06-17 23:47 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-17 23:51 . 2010-06-17 23:51 -------- d-----w- c:\program files\Avira
2010-06-16 18:37 . 2010-06-16 18:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-06-13 17:14 . 2010-06-13 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2010-06-12 11:43 . 2010-06-12 11:43 -------- d-----w- C:\swipe
2010-06-12 06:58 . 2010-06-17 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-06-11 17:31 . 2009-12-11 15:05 3613560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\ujb8B.exe
2010-06-11 07:25 . 2006-06-19 09:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-11 07:25 . 2006-05-25 11:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-11 07:25 . 2005-08-25 21:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-11 07:25 . 2003-02-02 16:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-06-11 07:25 . 2002-03-05 21:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-11 07:25 . 2010-06-11 07:25 -------- d-----w- c:\program files\Trojan Remover
2010-06-11 07:25 . 2010-06-11 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-06-11 07:25 . 2010-06-11 07:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2010-06-11 06:25 . 2010-06-11 06:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Registry Mechanic
2010-06-11 05:56 . 2010-06-11 05:56 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-11 05:56 . 2010-06-18 00:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-08 22:28 . 2010-06-08 22:28 -------- d-----w- c:\program files\PowerQuest
2010-06-08 20:50 . 2010-06-08 20:50 -------- d-----w- c:\program files\Quantum Digital Security
2010-06-05 08:25 . 2010-06-05 08:25 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-05 08:24 . 2010-06-05 08:03 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-05 08:24 . 2010-06-05 08:02 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-05 08:24 . 2010-06-05 08:24 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-05 08:24 . 2010-06-05 08:24 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-05 08:02 . 2010-06-05 08:24 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-04 09:50 . 2010-06-04 09:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WMTools Downloaded Files
2010-05-29 20:45 . 2010-05-29 20:45 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb5d1ed-n\msvcp71.dll
2010-05-29 20:45 . 2010-05-29 20:45 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb5d1ed-n\jmc.dll
2010-05-29 20:45 . 2010-05-29 20:45 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eb5d1ed-n\msvcr71.dll
2010-05-29 20:45 . 2010-05-29 20:45 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-46e7c805-n\decora-sse.dll
2010-05-29 20:45 . 2010-05-29 20:45 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-46e7c805-n\decora-d3d.dll
2010-05-22 17:55 . 2010-05-22 17:55 -------- d-----w- c:\windows\system32\%PersonalRootCertificateFolder%
2010-05-22 10:14 . 2010-05-22 10:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Wildfire
2010-05-20 15:23 . 2010-06-11 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-05-20 15:23 . 2010-06-11 05:53 -------- d-----w- c:\program files\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 07:27 . 2010-03-21 15:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache
2010-06-13 16:54 . 2010-03-21 15:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\IDM
2010-06-12 06:48 . 2010-05-11 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-06-11 06:05 . 2010-03-14 22:36 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-08 22:30 . 2010-03-19 17:09 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-06 16:01 . 2010-03-15 13:02 63 ----a-w- c:\windows\AlfaStart.CMD
2010-06-05 08:26 . 2010-06-05 08:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-06-05 08:24 . 2010-05-03 22:12 -------- d-----w- c:\program files\DivX
2010-06-05 08:19 . 2010-03-15 11:06 -------- d-----w- c:\program files\Google
2010-06-02 21:29 . 2010-03-15 11:31 439816 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-05-23 19:51 . 2010-05-03 22:42 -------- d-----w- c:\program files\SocksCapV2
2010-05-23 16:45 . 2010-03-15 11:10 -------- d-----w- c:\program files\Winamp Toolbar
2010-05-23 16:45 . 2010-05-03 19:24 -------- d-----w- c:\program files\Ufasoft
2010-05-23 16:40 . 2010-04-30 01:47 -------- d-----w- c:\program files\Ask.com
2010-05-22 14:54 . 2010-03-16 14:51 44 ----a-w- c:\windows\popcinfo.dat
2010-05-22 07:12 . 2010-03-20 16:51 17264 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-19 13:13 . 2010-05-19 13:13 -------- d-----w- c:\program files\Conduit
2010-05-15 19:56 . 2010-05-07 23:33 -------- d-----w- c:\program files\JetAudio
2010-05-15 19:56 . 2010-05-15 19:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2010-05-15 10:25 . 2010-05-15 10:25 -------- d-----w- c:\program files\GRETECH
2010-05-14 20:10 . 2010-03-21 14:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-08 16:25 . 2010-05-08 16:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2010-05-08 16:25 . 2010-05-08 16:20 -------- d-----w- c:\program files\Common Files\LightScribe
2010-05-08 16:19 . 2010-05-08 16:15 -------- d-----w- c:\program files\Common Files\Ahead
2010-05-08 16:15 . 2010-05-08 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-05-08 16:15 . 2010-05-08 16:15 -------- d-----w- c:\program files\Nero
2010-05-07 23:35 . 2010-05-07 23:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\COWON
2010-05-07 23:33 . 2010-05-07 23:33 -------- d-----w- c:\program files\Common Files\COWON
2010-05-07 23:33 . 2010-03-19 17:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-07 23:32 . 2010-05-07 23:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2010-05-06 05:09 . 2010-03-19 17:26 -------- d-----w- c:\program files\Camfrog
2010-05-03 22:30 . 2010-04-01 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-05-03 22:15 . 2010-05-03 22:15 -------- d-----w- c:\program files\AC3Filter
2010-05-03 22:14 . 2010-05-03 22:14 -------- d-----w- c:\program files\XviD
2010-05-03 19:24 . 2010-05-03 19:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ufasoft
2010-05-01 00:06 . 2010-03-15 11:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-04-30 15:13 . 2010-04-30 15:13 -------- d-----w- c:\program files\Common Files\NSV
2010-04-30 13:11 . 2010-04-22 15:55 -------- d-----w- c:\program files\Common Files\Java
2010-04-30 13:11 . 2010-04-30 13:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 13:11 . 2010-04-22 15:55 -------- d-----w- c:\program files\Java
2010-04-27 18:40 . 2010-06-05 08:23 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40 . 2010-06-05 08:23 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-27 18:40 . 2010-03-15 11:07 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-27 18:40 . 2010-03-15 11:07 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-04-27 18:40 . 2010-03-15 11:07 45648 ----a-w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40 . 2010-03-15 11:07 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 01:16 . 2010-04-27 01:16 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31277b46-n\msvcp71.dll
2010-04-27 01:16 . 2010-04-27 01:16 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31277b46-n\jmc.dll
2010-04-27 01:16 . 2010-04-27 01:16 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-31277b46-n\msvcr71.dll
2010-04-27 01:14 . 2010-04-27 01:14 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-191fe5b6-n\decora-sse.dll
2010-04-27 01:14 . 2010-04-27 01:14 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-191fe5b6-n\decora-d3d.dll
2010-04-23 04:50 . 2010-04-23 04:27 -------- d-----w- c:\program files\xchat
2010-04-23 04:50 . 2010-04-23 04:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\X-Chat 2
2010-04-21 00:53 . 2010-04-21 00:53 198064 ----a-w- c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2010-04-21 00:49 . 2010-03-21 15:50 -------- d-----w- c:\program files\Internet Download Manager
2010-04-05 16:26 . 2010-04-05 16:25 3154336 ----a-w- c:\documents and settings\Administrator\Application Data\IDM\idmupdt.exe
2010-03-27 20:28 . 2010-03-27 20:28 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-22 13:06 . 2010-05-19 13:13 52224 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0wsv1gtf.default\extensions\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}\components\FFExternalAlert.dll
2010-03-22 13:06 . 2010-05-19 13:13 101376 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0wsv1gtf.default\extensions\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}\components\RadioWMPCore.dll
.

------- Sigcheck -------

[-] 2008-03-06 . 53460DC9EE0270B14283A40B5ED475AC . 2162688 . . [5.1.2600.3239] . . c:\windows\system32\ntoskrnl.exe

[-] 2008-03-06 . 98FFC95BD7FD03163B08D185CD24134C . 1438208 . . [6.00.2900.3156] . . c:\windows\explorer.exe

[-] 2008-03-05 . F3E0CD075EAF949596905E4240870CB9 . 2040832 . . [5.1.2600.3239] . . c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-04-26 3179952]
"TaskSwitch"="c:\windows\system32\TaskSwitchXP.exe" [2006-08-04 62976]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-25 136192]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-25 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-25 166912]
"DrvIcon"="c:\windows\system32\DrvIcon.exe" [2007-07-04 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-06-17 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 185896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-03-21 124928]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [18/06/2010 02:51 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [18/06/2010 02:51 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [18/06/2010 02:51 405672]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [26/03/2010 07:52 219360]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/06/2010 08:56 632792]
R2 xqyoovxg;Remote Access NDIS TAPI Helper;c:\windows\System32\svchost.exe -k netsvcs [04/08/2004 12:56 14336]
S2 gupdate; Google (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2010 09:20 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [26/03/2010 08:09 1684736]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\PFC027.SYS [19/03/2010 08:09 616064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xqyoovxg
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\At1.job
- c:\windows\system32\iamdzjg.dll [2001-08-23 13:00]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 06:20]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 06:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: &Download All using 4shared Desktop - c:\documents and settings\Administrator\My Documents\4shared Desktop\down_all.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0wsv1gtf.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0wsv1gtf.default\extensions\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0wsv1gtf.default\extensions\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{07AD6C76-FD13-4191-9F5E-F9F66EF835E6} - c:\windows\system32\iamdzjg.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{07AD6C76-FD13-4191-9F5E-F9F66EF835E6} - c:\windows\system32\iamdzjg.dll
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-19 12:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):a4,b9,27,50,fc,8e,53,c8,8c,e1,da,da,61,29,8e,63,ae,1b,61,56,cd,
bf,b7,3b,c2,08,d2,dc,a0,fe,d2,bc,40,57,94,a3,51,f5,c7,ad,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):79,d3,3d,ae,96,c0,bc,9e,99,b0,3f,35,36,8d,8a,a2,13,13,8e,55,76,
f1,96,77,c8,10,ff,40,b6,df,e7,d1,7c,e2,6e,a7,af,41,5f,49,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8d3f9cd9-f340-4d0f-9f27-a0107c953b5e}]
@Denied: (Full) (Everyone)
"Model"=dword:0000006a
"Therad"=dword:0000001c

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c83ad216-74fb-4645-9a0d-ccc49dacf7e0}]
@Denied: (Full) (Everyone)
"Model"=dword:00000094
"Therad"=dword:0000000f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\setupapi.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2010-06-19 12:25:32
ComboFix-quarantined-files.txt 2010-06-19 09:25

Pre-Run: 17,799,593,984 bytes free
Post-Run: 22,742,769,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional ::Light::" /noexecute=optin /fastdetect

- - End Of File - - D801DC9FE4BAB4667AEDCD41B8B9F117

hamadakaki
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2010-06-19
OS OS : xp
Points Points : 23633
# Likes # Likes : 0

View user profile

Back to top Go down

Re: the txt

Post by Belahzur on 19th June 2010, 4:45 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Driver::
    xqyoovxg

    NetSvc::
    xqyoovxg

    DDS::
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2233703

    Firefox::
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0wsv1gtf.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2233703&SearchSource=3&q={searchTerms}

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8d3f9cd9-f340-4d0f-9f27-a0107c953b5e}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c83ad216-74fb-4645-9a0d-ccc49dacf7e0}]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum