virusresponse lab 2009 +zlob

View previous topic View next topic Go down

virusresponse lab 2009 +zlob

Post by ladidah on 7th December 2008, 12:50 am

I had virusresponse lab 2009 and I had to look up how to remove online through 'safe mode with networking' because it would not allow me to acess the internet. I used smitfraudfix to remove it and it seemed to work, but it did not remove all of the components and it came back a few hours later. I then used malwarebytes antimalware, this seemed to remove everything but I still could not access the internet without being in safe mode so I ran a malwarebytes scan one more time and noticed that the virus response lab 2009 infections were gone but there were still 9 infections and all of them had the name "zlob" in them. I pushed the button to delete them, rebooted my computer, and ran the scan again because I STILL could not connect to the internet and the zlobs were still there. Please Help and thank you in advance!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:50 PM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9519 bytes

ladidah
Novice
Novice

Posts Posts : 5
Joined Joined : 2008-12-07
OS OS : windows xp
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virusresponse lab 2009 +zlob

Post by Belahzur on 7th December 2008, 1:01 am

Hello.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

part 1

Post by ladidah on 7th December 2008, 1:38 am

Thanks for responding so fast! Smile Here's the combofix log.

ComboFix 08-12-06.04 - Administrator 2008-12-06 17:28:18.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.268 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 14:08 . 2008-12-06 14:08 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Malwarebytes
2008-12-06 13:24 . 2008-12-06 13:24 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 13:24 . 2008-12-06 13:24 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-06 13:24 . 2008-12-06 13:24 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-06 13:24 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 13:24 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 12:55 . 2008-12-06 12:56 d--hs---- c:\documents and settings\~Nicolle~.NICOLLE\58A4AB771BA18F44
2008-12-05 21:24 . 2008-12-05 23:27 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Mozilla
2008-12-05 21:20 . 2008-12-05 21:20 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Real
2008-12-05 21:18 . 2006-07-19 16:23 d-------- c:\documents and settings\~Nicolle~.NICOLLE\WINDOWS
2008-12-05 21:18 . 2006-07-18 18:32 d--h----- c:\documents and settings\~Nicolle~.NICOLLE\Templates
2008-12-05 21:18 . 2008-12-06 12:56 dr------- c:\documents and settings\~Nicolle~.NICOLLE\Start Menu
2008-12-05 21:18 . 2006-07-18 18:41 dr-h----- c:\documents and settings\~Nicolle~.NICOLLE\SendTo
2008-12-05 21:18 . 2008-12-06 15:30 dr-h----- c:\documents and settings\~Nicolle~.NICOLLE\Recent
2008-12-05 21:18 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~.NICOLLE\PrintHood
2008-12-05 21:18 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~.NICOLLE\NetHood
2008-12-05 21:18 . 2008-12-06 12:55 dr------- c:\documents and settings\~Nicolle~.NICOLLE\My Documents
2008-12-05 21:18 . 2008-12-06 17:29 d--h----- c:\documents and settings\~Nicolle~.NICOLLE\Local Settings
2008-12-05 21:18 . 2008-12-06 12:55 dr------- c:\documents and settings\~Nicolle~.NICOLLE\Favorites
2008-12-05 21:18 . 2008-12-06 12:56 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Desktop
2008-12-05 21:18 . 2008-12-05 23:27 d--hs---- c:\documents and settings\~Nicolle~.NICOLLE\Cookies
2008-12-05 21:18 . 2006-07-19 18:41 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\You've Got Pictures Screensaver
2008-12-05 21:18 . 2006-07-19 15:58 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\toshiba
2008-12-05 21:18 . 2008-12-05 22:20 d---s---- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Microsoft
2008-12-05 21:18 . 2008-07-24 19:30 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Macromedia
2008-12-05 21:18 . 2006-11-28 19:51 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Intel
2008-12-05 21:18 . 2006-07-18 18:37 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Identities
2008-12-05 21:18 . 2006-11-28 20:08 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\AOL
2008-12-05 21:18 . 2008-12-05 22:07 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Adobe
2008-12-05 21:18 . 2008-12-06 14:08 dr-h----- c:\documents and settings\~Nicolle~.NICOLLE\Application Data
2008-12-05 21:18 . 2008-12-06 12:55 d-------- c:\documents and settings\~Nicolle~.NICOLLE
2008-12-05 21:18 . 2008-12-06 15:30 1,572,864 --ah----- c:\documents and settings\~Nicolle~.NICOLLE\NTUSER.DAT
2008-12-05 21:12 . 2006-07-19 16:23 d-------- c:\documents and settings\~Nicolle~\WINDOWS
2008-12-05 21:12 . 2006-07-18 18:32 d--h----- c:\documents and settings\~Nicolle~\Templates
2008-12-05 21:12 . 2006-07-18 11:28 dr------- c:\documents and settings\~Nicolle~\Start Menu
2008-12-05 21:12 . 2006-07-18 18:41 dr-h----- c:\documents and settings\~Nicolle~\SendTo
2008-12-05 21:12 . 2006-07-19 19:57 dr-h----- c:\documents and settings\~Nicolle~\Recent
2008-12-05 21:12 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~\PrintHood
2008-12-05 21:12 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~\NetHood
2008-12-05 21:12 . 2006-07-19 18:50 dr------- c:\documents and settings\~Nicolle~\My Documents
2008-12-05 21:12 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~\Local Settings
2008-12-05 21:12 . 2006-07-19 18:40 dr------- c:\documents and settings\~Nicolle~\Favorites
2008-12-05 21:12 . 2006-08-11 13:16 d-------- c:\documents and settings\~Nicolle~\Desktop
2008-12-05 21:12 . 2006-07-18 18:37 d--hs---- c:\documents and settings\~Nicolle~\Cookies
2008-12-05 21:12 . 2008-07-24 19:30 dr-h----- c:\documents and settings\~Nicolle~\Application Data
2008-12-05 21:12 . 2008-12-05 21:12 d-------- c:\documents and settings\~Nicolle~
2008-12-05 21:12 . 2008-08-12 14:26 1,310,720 --ah----- c:\documents and settings\~Nicolle~\NTUSER.DAT
2008-12-05 18:38 . 2008-12-06 13:13 4,746 --a------ c:\windows\system32\tmp.reg
2008-12-05 18:37 . 2008-12-05 18:42 d-------- c:\documents and settings\Administrator\SmitfraudFix
2008-12-05 18:37 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-12-05 18:37 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-12-05 18:37 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-12-05 18:37 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-12-05 18:37 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-12-05 18:37 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-12-05 18:37 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-12-05 18:37 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-12-05 18:37 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-12-05 18:37 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-12-04 18:04 . 2008-12-04 18:04 116 --a------ c:\windows\wininit.ini
2008-12-04 17:23 . 2008-12-04 17:23 d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-04 17:23 . 2008-12-04 17:23 d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-04 17:23 . 2008-12-04 17:23 d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-04 17:23 . 2008-12-04 17:23 d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-04 16:53 . 2008-12-04 19:05 d-------- c:\program files\Enigma Software Group
2008-12-04 00:26 . 2008-12-04 16:38 1 ---h----- c:\windows\f49f4daa.dat
2008-11-24 19:56 . 2008-11-24 19:55 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-17 16:37 . 2008-11-17 16:37 d-------- c:\program files\Common Files\Software Update Utility
2008-11-17 16:37 . 2008-11-17 16:37 d-------- c:\program files\AIM Toolbar
2008-11-17 16:37 . 2008-11-17 16:37 d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-17 16:37 . 2008-11-17 16:37 d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-11 10:51 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 10:48 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 01:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-06 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 20:17 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 05:15 --------- d-----w c:\program files\Plaxo
2008-12-06 02:38 --------- d-----w c:\program files\Google
2008-12-06 02:17 --------- d-----w c:\program files\Spyware Doctor
2008-12-05 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-25 03:55 --------- d-----w c:\program files\Java
2008-11-18 00:37 --------- d-----w c:\program files\AIM6
2008-11-18 00:37 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-18 00:35 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-07 23:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-07 23:00 --------- d-----w c:\program files\Norton Security Scan
2008-11-03 01:00 81,288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2008-11-03 01:00 66,952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2008-11-03 01:00 40,840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2008-10-28 00:21 --------- d--h--w c:\program files\InstallShield Installation


Last edited by ladidah on 7th December 2008, 1:39 am; edited 1 time in total

ladidah
Novice
Novice

Posts Posts : 5
Joined Joined : 2008-12-07
OS OS : windows xp
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

part 2

Post by ladidah on 7th December 2008, 1:39 am

Information
2008-10-28 00:21 --------- d-----w c:\program files\GamesCampus
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 10:00 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-08 03:31 --------- d-----w c:\program files\Apple Software Update
2008-10-08 03:29 --------- d-----w c:\program files\iTunes
2008-10-08 03:29 --------- d-----w c:\program files\iPod
2008-10-08 03:29 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-08 03:27 --------- d-----w c:\program files\QuickTime
2008-10-08 03:27 --------- d-----w c:\program files\Bonjour
2008-10-04 07:18 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2007-04-06 01:09 402,432 ----a-w c:\program files\FLV PlayerRCSetup.exe
2007-09-29 01:57 6,275,816 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-08-12 22:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081220080813\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
2008-10-07 11:09 1275176 --a------ c:\program files\AIM Toolbar\aimtb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-29 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-02 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-25 299008]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-05 1077322]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-03 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-02 700416]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-09 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-11-02 1168264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-03 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 c:\windows\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-20 443968]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Program Files\\MAIET\\Gunz\\Gunz.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-26 356920]
S2 58A4AB771BA18F44;58A4AB771BA18F44;\??\c:\documents and settings\~Nicolle~.NICOLLE\58A4AB771BA18F44\58A4AB771BA18F44 []
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2006-06-28 98816]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-02-14 24652]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys []
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-06 38496]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys []
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\DRIVERS\rt2500usb.sys [2008-01-05 139904]
S3 XDva032;XDva032;\??\c:\windows\system32\XDva032.sys []
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [2008-07-10 369688]
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-08 c:\windows\Tasks\Norton Security Scan for Nicole Santillanes.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\AIM Toolbar\aimtb.dll
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\28av8ont.default\
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdnu.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-06 17:29:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\58A4AB771BA18F44]
"ImagePath"="\??\c:\documents and settings\~Nicolle~.NICOLLE\58A4AB771BA18F44\58A4AB771BA18F44"
.
Completion time: 2008-12-06 17:30:03
ComboFix-quarantined-files.txt 2008-12-07 01:29:58
ComboFix2.txt 2008-12-07 01:10:37

Pre-Run: 56,129,515,520 bytes free
Post-Run: 56,111,210,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

260 --- E O F --- 2008-11-12 11:09:52

ladidah
Novice
Novice

Posts Posts : 5
Joined Joined : 2008-12-07
OS OS : windows xp
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virusresponse lab 2009 +zlob

Post by Belahzur on 7th December 2008, 1:54 am

Hello.
Just need to get rid of a leftover service.

Now open a new notepad file.
Input this into the notepad file:

Driver::
58A4AB771BA18F44

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virusresponse lab 2009 +zlob

Post by ladidah on 7th December 2008, 2:46 am

Here it is

ComboFix 08-12-06.04 - Administrator 2008-12-06 18:25:21.5 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.234 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 14:08 . 2008-12-06 14:08 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Malwarebytes
2008-12-06 13:24 . 2008-12-06 13:24 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 13:24 . 2008-12-06 13:24 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-06 13:24 . 2008-12-06 13:24 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-06 13:24 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 13:24 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 12:55 . 2008-12-06 12:56 d--hs---- c:\documents and settings\~Nicolle~.NICOLLE\58A4AB771BA18F44
2008-12-05 21:24 . 2008-12-05 23:27 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Mozilla
2008-12-05 21:20 . 2008-12-05 21:20 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Real
2008-12-05 21:18 . 2006-07-19 16:23 d-------- c:\documents and settings\~Nicolle~.NICOLLE\WINDOWS
2008-12-05 21:18 . 2006-07-18 18:32 d--h----- c:\documents and settings\~Nicolle~.NICOLLE\Templates
2008-12-05 21:18 . 2008-12-06 12:56 dr------- c:\documents and settings\~Nicolle~.NICOLLE\Start Menu
2008-12-05 21:18 . 2006-07-18 18:41 dr-h----- c:\documents and settings\~Nicolle~.NICOLLE\SendTo
2008-12-05 21:18 . 2008-12-06 15:30 dr-h----- c:\documents and settings\~Nicolle~.NICOLLE\Recent
2008-12-05 21:18 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~.NICOLLE\PrintHood
2008-12-05 21:18 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~.NICOLLE\NetHood
2008-12-05 21:18 . 2008-12-06 12:55 dr------- c:\documents and settings\~Nicolle~.NICOLLE\My Documents
2008-12-05 21:18 . 2008-12-06 18:27 d--h----- c:\documents and settings\~Nicolle~.NICOLLE\Local Settings
2008-12-05 21:18 . 2008-12-06 12:55 dr------- c:\documents and settings\~Nicolle~.NICOLLE\Favorites
2008-12-05 21:18 . 2008-12-06 12:56 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Desktop
2008-12-05 21:18 . 2008-12-05 23:27 d--hs---- c:\documents and settings\~Nicolle~.NICOLLE\Cookies
2008-12-05 21:18 . 2006-07-19 18:41 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\You've Got Pictures Screensaver
2008-12-05 21:18 . 2006-07-19 15:58 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\toshiba
2008-12-05 21:18 . 2008-12-05 22:20 d---s---- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Microsoft
2008-12-05 21:18 . 2008-07-24 19:30 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Macromedia
2008-12-05 21:18 . 2006-11-28 19:51 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Intel
2008-12-05 21:18 . 2006-07-18 18:37 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Identities
2008-12-05 21:18 . 2006-11-28 20:08 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\AOL
2008-12-05 21:18 . 2008-12-05 22:07 d-------- c:\documents and settings\~Nicolle~.NICOLLE\Application Data\Adobe
2008-12-05 21:18 . 2008-12-06 14:08 dr-h----- c:\documents and settings\~Nicolle~.NICOLLE\Application Data
2008-12-05 21:18 . 2008-12-06 12:55 d-------- c:\documents and settings\~Nicolle~.NICOLLE
2008-12-05 21:18 . 2008-12-06 18:12 1,572,864 --ah----- c:\documents and settings\~Nicolle~.NICOLLE\NTUSER.DAT
2008-12-05 21:12 . 2006-07-19 16:23 d-------- c:\documents and settings\~Nicolle~\WINDOWS
2008-12-05 21:12 . 2006-07-18 18:32 d--h----- c:\documents and settings\~Nicolle~\Templates
2008-12-05 21:12 . 2006-07-18 11:28 dr------- c:\documents and settings\~Nicolle~\Start Menu
2008-12-05 21:12 . 2006-07-18 18:41 dr-h----- c:\documents and settings\~Nicolle~\SendTo
2008-12-05 21:12 . 2006-07-19 19:57 dr-h----- c:\documents and settings\~Nicolle~\Recent
2008-12-05 21:12 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~\PrintHood
2008-12-05 21:12 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~\NetHood
2008-12-05 21:12 . 2006-07-19 18:50 dr------- c:\documents and settings\~Nicolle~\My Documents
2008-12-05 21:12 . 2006-07-18 11:28 d--h----- c:\documents and settings\~Nicolle~\Local Settings
2008-12-05 21:12 . 2006-07-19 18:40 dr------- c:\documents and settings\~Nicolle~\Favorites
2008-12-05 21:12 . 2006-08-11 13:16 d-------- c:\documents and settings\~Nicolle~\Desktop
2008-12-05 21:12 . 2006-07-18 18:37 d--hs---- c:\documents and settings\~Nicolle~\Cookies
2008-12-05 21:12 . 2008-07-24 19:30 dr-h----- c:\documents and settings\~Nicolle~\Application Data
2008-12-05 21:12 . 2008-12-05 21:12 d-------- c:\documents and settings\~Nicolle~
2008-12-05 21:12 . 2008-08-12 14:26 1,310,720 --ah----- c:\documents and settings\~Nicolle~\NTUSER.DAT
2008-12-05 18:38 . 2008-12-06 13:13 4,746 --a------ c:\windows\system32\tmp.reg
2008-12-05 18:37 . 2008-12-05 18:42 d-------- c:\documents and settings\Administrator\SmitfraudFix
2008-12-05 18:37 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-12-05 18:37 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-12-05 18:37 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-12-05 18:37 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-12-05 18:37 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-12-05 18:37 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-12-05 18:37 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-12-05 18:37 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-12-05 18:37 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-12-05 18:37 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-12-04 18:04 . 2008-12-04 18:04 116 --a------ c:\windows\wininit.ini
2008-12-04 17:23 . 2008-12-04 17:23 d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-04 17:23 . 2008-12-04 17:23 d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-04 17:23 . 2008-12-04 17:23 d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-04 17:23 . 2008-12-04 17:23 d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-04 16:53 . 2008-12-04 19:05 d-------- c:\program files\Enigma Software Group
2008-12-04 00:26 . 2008-12-04 16:38 1 ---h----- c:\windows\f49f4daa.dat
2008-11-24 19:56 . 2008-11-24 19:55 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-17 16:37 . 2008-11-17 16:37 d-------- c:\program files\Common Files\Software Update Utility
2008-11-17 16:37 . 2008-11-17 16:37 d-------- c:\program files\AIM Toolbar
2008-11-17 16:37 . 2008-11-17 16:37 d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-11-17 16:37 . 2008-11-17 16:37 d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-11 10:51 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 10:48 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 02:22 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-06 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 20:17 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 05:15 --------- d-----w c:\program files\Plaxo
2008-12-06 02:38 --------- d-----w c:\program files\Google
2008-12-06 02:17 --------- d-----w c:\program files\Spyware Doctor
2008-12-05 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-25 03:55 --------- d-----w c:\program files\Java
2008-11-18 00:37 --------- d-----w c:\program files\AIM6
2008-11-18 00:37 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-18 00:35 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-07 23:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-07 23:00 --------- d-----w c:\program files\Norton Security Scan
2008-11-03 01:00 81,288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2008-11-03 01:00 66,952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2008-11-03 01:00 40,840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2008-10-28 00:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-28 00:21 --------- d-----w c:\program files\GamesCampus
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 10:00 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-08 03:31 --------- d-----w c:\program files\Apple Software Update
2008-10-08 03:29 --------- d-----w c:\program files\iTunes
2008-10-08 03:29 --------- d-----w c:\program files\iPod
2008-10-08 03:29 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-08 03:27 --------- d-----w c:\program files\QuickTime
2008-10-08 03:27 --------- d-----w c:\program files\Bonjour
2008-10-04 07:18 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2007-04-06 01:09 402,432 ----a-w c:\program files\FLV PlayerRCSetup.exe
2007-09-29 01:57 6,275,816 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-08-12 22:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081220080813\index.dat
.

ladidah
Novice
Novice

Posts Posts : 5
Joined Joined : 2008-12-07
OS OS : windows xp
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

part 2

Post by ladidah on 7th December 2008, 2:46 am

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
2008-10-07 11:09 1275176 --a------ c:\program files\AIM Toolbar\aimtb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{61539ecd-cc67-4437-a03c-9aaccbd14326}"= "c:\program files\AIM Toolbar\aimtb.dll" [2008-10-07 1275176]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-29 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-02 364544]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-25 299008]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-05 1077322]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-03 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-02 700416]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-09 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-11-02 1168264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-03 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 c:\windows\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-20 443968]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Program Files\\MAIET\\Gunz\\Gunz.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-26 356920]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2006-06-28 98816]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-02-14 24652]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys []
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-06 38496]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys []
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\DRIVERS\rt2500usb.sys [2008-01-05 139904]
S3 XDva032;XDva032;\??\c:\windows\system32\XDva032.sys []
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [2008-07-10 369688]
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-08 c:\windows\Tasks\Norton Security Scan for Nicole Santillanes.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\AIM Toolbar\aimtb.dll
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\28av8ont.default\
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdnu.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-06 18:27:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-06 18:28:43
ComboFix-quarantined-files.txt 2008-12-07 02:28:37
ComboFix2.txt 2008-12-07 02:19:48
ComboFix3.txt 2008-12-07 01:30:04
ComboFix4.txt 2008-12-07 01:10:37

Pre-Run: 56,031,502,336 bytes free
Post-Run: 56,012,734,464 bytes free

257 --- E O F --- 2008-11-12 11:09:52

ladidah
Novice
Novice

Posts Posts : 5
Joined Joined : 2008-12-07
OS OS : windows xp
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virusresponse lab 2009 +zlob

Post by Belahzur on 7th December 2008, 1:13 pm

Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virusresponse lab 2009 +zlob

Post by Doctor Inferno on 26th December 2008, 4:24 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum