Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware problem

Unread postby Shaba » July 23rd, 2008, 6:31 am

Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
D:\no.com 
D:\fi.cmd 
D:\k.com 
D:\xc9f3l6.cmd 
D:\33gmhso.bat 
D:\ivcvknr.bat 
D:\wak.cmd 


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Re: Malware problem

Unread postby 2rone » July 24th, 2008, 7:27 am

Hi Shaba

As you requested :D

COMBOFIX REPORT

ComboFix 08-07-20.5 - resty 2008-07-24 18:54:52.5 - NTFSx86
Running from: C:\Documents and Settings\resty\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\resty\Desktop\CFScript.txt

FILE ::
D:\33gmhso.bat
D:\fi.cmd
D:\ivcvknr.bat
D:\k.com
D:\no.com
D:\wak.cmd
D:\xc9f3l6.cmd
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\resty\Local Settings\temp\Rar$EX05.500\NOD32 Antivirus System 2.70.39 for Windows NT20002003XPVista 3264\Mirror\_desktop.ini
D:\33gmhso.bat
D:\fi.cmd
D:\ivcvknr.bat
D:\k.com
D:\no.com
D:\wak.cmd
D:\xc9f3l6.cmd

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-24 10:54 . 2008-07-24 12:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-23 17:53 . 2008-07-23 17:53 <DIR> d-------- C:\_OTMoveIt
2008-07-23 14:00 . 2008-07-24 09:30 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-23 14:00 . 2008-07-23 14:00 <DIR> d-------- C:\Documents and Settings\resty\Application Data\AVGTOOLBAR
2008-07-23 14:00 . 2008-07-23 14:00 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-23 14:00 . 2008-07-23 14:00 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-23 14:00 . 2008-07-23 14:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-23 13:58 . 2008-07-23 14:12 <DIR> d-------- C:\Program Files\AVG
2008-07-23 13:58 . 2008-07-23 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-23 13:07 . 2008-07-23 13:07 <DIR> d-------- C:\Program Files\ESET
2008-07-08 18:18 . 2008-07-08 18:18 <DIR> d-------- C:\Program Files\Free Download Manager
2008-07-08 18:18 . 2008-07-24 09:57 <DIR> d-------- C:\Documents and Settings\resty\Application Data\Free Download Manager
2008-07-08 18:18 . 2008-07-08 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-07-04 11:20 . 2008-07-04 11:31 <DIR> d-------- C:\GBSI_Data_Uploader
2008-07-04 11:04 . 2008-07-04 11:04 <DIR> d-------- C:\Documents and Settings\resty\Application Data\Macrovision
2008-07-04 11:04 . 2008-07-04 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 10:19 --------- d-----w C:\Documents and Settings\resty\Application Data\SQL Developer
2008-07-24 06:26 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-23 10:46 --------- d-----w C:\Program Files\Launch Manager
2008-07-23 05:40 --------- d-----w C:\Program Files\Symantec
2008-07-23 05:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 05:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-23 05:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-21 06:33 --------- d-----w C:\Documents and Settings\resty\Application Data\AdobeUM
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 08:48 --------- d-----w C:\Program Files\IzPack
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 01:24 --------- d-----w C:\Program Files\Yahoo!
2008-06-11 01:16 --------- d-----w C:\Program Files\Java
2008-06-09 23:08 --------- d-----w C:\Documents and Settings\resty\Application Data\Vidalia
2008-06-09 23:08 --------- d-----w C:\Documents and Settings\resty\Application Data\tor
2008-06-09 22:05 --------- d-----w C:\Documents and Settings\resty\Application Data\UFOAI
2008-06-09 17:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-08 02:34 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-10-08 02:37 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-21_14.45.36.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-23 06:00:50 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 11:18 307200]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 10:17 102491]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 10:16 692315]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 18:00 345088]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 16:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 16:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 16:55 118784]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 19:43 401408]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-03-30 16:56 471040]
"ImageItEncrypt"="C:\WINDOWS\system32\ImageItEncrypt.exe" [2005-12-30 17:02 40960]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 01:12 579584]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 18:47 421888]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 17:21 53248]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-23 13:59 1232152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - C:\Apache\Apache2\bin\ApacheMonitor.exe [2006-07-27 18:59:08 41042]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
backup=C:\WINDOWS\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^UberIcon.lnk]
backup=C:\WINDOWS\pss\UberIcon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Y'z Shadow.lnk]
backup=C:\WINDOWS\pss\Y'z Shadow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Y'z ToolBar.lnk]
backup=C:\WINDOWS\pss\Y'z ToolBar.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-14 03:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 11:18 307200 c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-12-17 20:13 3810544 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"OracleOraDb10g_home1TNSListener"=2 (0x2)
"OracleOraDb10g_home1iSQL*Plus"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acer ePresentation HPD"=C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"ntiMUI"=C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-23 14:00]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-23 13:59]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-23 13:59]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-23 14:00]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 19:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 19:57]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
S2 OracleDBConsoledb0001;OracleDBConsoledb0001;D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe []
S2 OracleDBConsoleroannewd;OracleDBConsoleroannewd;C:\oracle10gr2\product\10.2.0\db_1\bin\nmesrvc.exe []
S3 MySQL41;MySQL41;C:\MySQL\bin\mysqld-nt --defaults-file=C:\MySQL\my.ini MySQL41 []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 OracleOraHomeSNMPPeerEncapsulator;OracleOraHomeSNMPPeerEncapsulator;c:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 11:23]
S3 OracleOraHomeSNMPPeerMasterAgent;OracleOraHomeSNMPPeerMasterAgent;c:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 11:23]
S3 OracleOraHomeTNSListenerLISTENER1;OracleOraHomeTNSListenerLISTENER1;c:\oracle\ora92\BIN\TNSLSNR []
S3 OracleServiceFDP;OracleServiceFDP;c:\oracle\ora92\bin\ORACLE.EXE FDP []
S3 OracleServiceROANDB;OracleServiceROANDB;c:\oracle\ora92\bin\ORACLE.EXE ROANDB []
S4 Apache2.2;Apache2.2;C:\bin\httpd.exe []
S4 OracleDBConsoledbTest;OracleDBConsoledbTest;D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe []
S4 OracleServiceISYSAPCHRDEMO;OracleServiceISYSAPCHRDEMO;c:\oracle\ora92\bin\ORACLE.EXE ISYSAPCHRDEMO []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\33gmhso.bat
\Shell\explore\Command - F:\33gmhso.bat
\Shell\open\Command - F:\33gmhso.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\33gmhso.bat
\Shell\explore\Command - G:\33gmhso.bat
\Shell\open\Command - G:\33gmhso.bat
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 19:02:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-24 19:12:28
ComboFix-quarantined-files.txt 2008-07-24 11:12:18
ComboFix2.txt 2008-07-22 03:56:22
ComboFix3.txt 2008-07-21 06:47:54

Pre-Run: 26,346,934,784 bytes free
Post-Run: 26,370,154,496 bytes free

200 --- E O F --- 2008-07-11 01:10:16


HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:29 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\CF31524.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\wil\various installers\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 16.157.192.224:8888
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://60.248.39.146:1025/RtspVaPgDec.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Apache\Apache2\bin\Apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: MySQL41 - Unknown owner - C:\MySQL\bin\mysqld-nt (file missing)
O23 - Service: OracleDBConsoledb0001 - Unknown owner - D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleDBConsoleroannewd - Unknown owner - C:\oracle10gr2\product\10.2.0\db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOraHomeAgent - Oracle Corporation - c:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHomeHTTPServer - Unknown owner - c:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHomePagingServer - Unknown owner - c:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHomeSNMPPeerEncapsulator - Unknown owner - c:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHomeSNMPPeerMasterAgent - Unknown owner - c:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHomeTNSListener - Unknown owner - c:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOraHomeTNSListenerLISTENER1 - Unknown owner - c:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceFDP - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceROANDB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9895 bytes
2rone
Regular Member
 
Posts: 20
Joined: July 16th, 2008, 4:06 am

Re: Malware problem

Unread postby Shaba » July 24th, 2008, 7:47 am

Hi

It looks like that F and G devices are still infected:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\33gmhso.bat
\Shell\explore\Command - F:\33gmhso.bat
\Shell\open\Command - F:\33gmhso.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\33gmhso.bat
\Shell\explore\Command - G:\33gmhso.bat
\Shell\open\Command - G:\33gmhso.bat

In order to prevent that this won't go on and on, I highly recommend that you format USB flash drive next or we can clean this forever.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware problem

Unread postby 2rone » July 28th, 2008, 6:54 am

Hi

Sorry if haven't replied for a while...been busy the whole weekend...but anyway I'll do a backup of my USB drive and format the thing. But I'm not sure what to do next...I'll just post a fresh HJT log.

EDIT:
HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:34 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\winhlp32.exe
C:\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
D:\wil\various installers\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 16.157.192.224:8888
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://60.248.39.146:1025/RtspVaPgDec.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Apache\Apache2\bin\Apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: MySQL41 - Unknown owner - C:\MySQL\bin\mysqld-nt (file missing)
O23 - Service: OracleDBConsoledb0001 - Unknown owner - D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleDBConsoleroannewd - Unknown owner - C:\oracle10gr2\product\10.2.0\db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOraHomeAgent - Oracle Corporation - c:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHomeHTTPServer - Unknown owner - c:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHomePagingServer - Unknown owner - c:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHomeSNMPPeerEncapsulator - Unknown owner - c:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHomeSNMPPeerMasterAgent - Unknown owner - c:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHomeTNSListener - Unknown owner - c:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOraHomeTNSListenerLISTENER1 - Unknown owner - c:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceFDP - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceROANDB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10551 bytes


Please tell me what to do next ... I've already formatted my USB drive and try to not to put anything. :)
Last edited by 2rone on July 28th, 2008, 8:06 am, edited 1 time in total.
2rone
Regular Member
 
Posts: 20
Joined: July 16th, 2008, 4:06 am

Re: Malware problem

Unread postby Shaba » July 28th, 2008, 7:10 am

Hi

If you backup your USB drive you will infect the media to which you backup it. You don't have any backups from things you have in that USB stick?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware problem

Unread postby 2rone » July 28th, 2008, 11:32 pm

Shaba wrote:If you backup your USB drive you will infect the media to which you backup it. You don't have any backups from things you have in that USB stick?


Hi
I didn't do any backups, although I accessed my USB before formatting it.
2rone
Regular Member
 
Posts: 20
Joined: July 16th, 2008, 4:06 am

Re: Malware problem

Unread postby Shaba » July 29th, 2008, 1:04 am

Hi

Please then re-run dss and post back a fresh dss log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware problem

Unread postby 2rone » July 29th, 2008, 3:30 am

Hi

Dss? what's dss? I don't remember instructing me to run dss
2rone
Regular Member
 
Posts: 20
Joined: July 16th, 2008, 4:06 am

Re: Malware problem

Unread postby Shaba » July 29th, 2008, 4:45 am

Hi

My bad :oops:

I meant combofix.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware problem

Unread postby 2rone » July 30th, 2008, 9:38 pm

Hi

Here's my latest combofix log :D

COMBOFIX LOG

ComboFix 08-07-29.1 - resty 2008-07-31 9:12:11.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.127 [GMT 8:00]
Running from: C:\Documents and Settings\resty\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-29 08:47 . 2008-07-29 08:50 <DIR> d-------- C:\Documents and Settings\resty\Application Data\Skype
2008-07-28 15:21 . 2008-07-28 15:21 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-07-28 15:12 . 2008-07-28 15:12 <DIR> d-------- C:\Program Files\Google
2008-07-28 15:12 . 2008-07-30 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-25 17:08 . 2008-02-15 12:45 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2008-07-25 16:56 . 2008-02-15 13:12 5,854,752 --a------ C:\WINDOWS\system32\drivers\igxpmp32.sys
2008-07-25 16:56 . 2008-02-15 13:12 2,643,968 --a------ C:\WINDOWS\system32\igxpdx32.dll
2008-07-25 16:56 . 2008-02-15 13:12 1,670,144 --a------ C:\WINDOWS\system32\igxpdv32.dll
2008-07-25 16:56 . 2008-03-07 12:56 920,088 --a------ C:\WINDOWS\system32\igxpun.exe
2008-07-25 16:56 . 2006-11-10 08:25 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2008-07-25 16:56 . 2008-02-15 12:49 176,128 --a------ C:\WINDOWS\system32\igfxrsky.lrc
2008-07-25 16:56 . 2008-02-15 12:49 172,032 --a------ C:\WINDOWS\system32\igfxrslv.lrc
2008-07-25 16:56 . 2008-02-15 13:12 151,040 --a------ C:\WINDOWS\system32\igxpgd32.dll
2008-07-25 16:56 . 2008-02-15 13:21 147,456 --a------ C:\WINDOWS\system32\igfxCoIn_v4926.dll
2008-07-25 16:56 . 2008-02-15 13:12 57,344 --a------ C:\WINDOWS\system32\igxprd32.dll
2008-07-25 10:39 . 2008-07-25 10:39 <DIR> d-------- C:\Intel
2008-07-24 10:54 . 2008-07-28 19:37 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-23 17:53 . 2008-07-23 17:53 <DIR> d-------- C:\_OTMoveIt
2008-07-23 14:00 . 2008-07-30 09:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-23 14:00 . 2008-07-30 08:49 <DIR> d-------- C:\Documents and Settings\resty\Application Data\AVGTOOLBAR
2008-07-23 14:00 . 2008-07-23 14:00 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-23 14:00 . 2008-07-23 14:00 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-23 14:00 . 2008-07-23 14:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-23 13:58 . 2008-07-23 14:12 <DIR> d-------- C:\Program Files\AVG
2008-07-23 13:58 . 2008-07-23 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-08 18:18 . 2008-07-08 18:18 <DIR> d-------- C:\Program Files\Free Download Manager
2008-07-08 18:18 . 2008-07-31 09:06 <DIR> d-------- C:\Documents and Settings\resty\Application Data\Free Download Manager
2008-07-08 18:18 . 2008-07-08 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-07-04 11:20 . 2008-07-04 11:31 <DIR> d-------- C:\GBSI_Data_Uploader
2008-07-04 11:04 . 2008-07-04 11:04 <DIR> d-------- C:\Documents and Settings\resty\Application Data\Macrovision
2008-07-04 11:04 . 2008-07-04 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-19 16:46 . 2008-06-19 16:48 <DIR> d-------- C:\Program Files\IzPack
2008-06-16 16:44 . 2008-06-16 16:44 69,632 --a------ C:\WINDOWS\system32\SYSTEM1.MDW
2008-06-16 16:38 . 2008-06-16 16:38 69,632 --a------ C:\WINDOWS\system32\SYSTEM1X.MDW
2008-06-13 11:12 . 2004-08-04 08:00 35,328 --a------ C:\WINDOWS\system32\iprip.dll
2008-06-13 11:12 . 2004-08-04 08:00 35,328 --a------ C:\WINDOWS\system32\dllcache\iprip.dll
2008-06-12 13:39 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 13:39 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 09:15 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-10 06:05 . 2008-06-10 06:05 <DIR> d-------- C:\Documents and Settings\resty\Application Data\UFOAI
2008-06-10 01:42 . 2008-07-28 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-10 00:35 . 2008-06-10 00:35 <DIR> d-------- C:\WINDOWS\LMI5.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 01:09 --------- d-----w C:\Program Files\Launch Manager
2008-07-30 09:50 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-29 04:40 --------- d-----w C:\Documents and Settings\resty\Application Data\SQL Developer
2008-07-28 07:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-28 07:21 --------- d-----w C:\Program Files\Skype
2008-07-23 05:40 --------- d-----w C:\Program Files\Symantec
2008-07-23 05:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 05:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-23 05:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-21 06:33 --------- d-----w C:\Documents and Settings\resty\Application Data\AdobeUM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-11 01:24 --------- d-----w C:\Program Files\Yahoo!
2008-06-11 01:16 --------- d-----w C:\Program Files\Java
2008-06-09 23:08 --------- d-----w C:\Documents and Settings\resty\Application Data\Vidalia
2008-06-09 23:08 --------- d-----w C:\Documents and Settings\resty\Application Data\tor
2007-10-08 02:34 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-10-08 02:37 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-21_14.45.36.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-28 07:30:53 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-07-30 08:42:36 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-5464-3428-800000000003}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-28 15:13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 10:17 102491]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 10:16 692315]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 18:00 345088]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 19:43 401408]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-03-30 16:56 471040]
"ImageItEncrypt"="C:\WINDOWS\system32\ImageItEncrypt.exe" [2005-12-30 17:02 40960]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 01:12 579584]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 18:47 421888]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 17:21 53248]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-23 13:59 1232152]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 12:46 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-15 12:46 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 12:46 131072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - C:\Apache\Apache2\bin\ApacheMonitor.exe [2006-07-27 18:59:08 41042]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
backup=C:\WINDOWS\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^UberIcon.lnk]
backup=C:\WINDOWS\pss\UberIcon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Y'z Shadow.lnk]
backup=C:\WINDOWS\pss\Y'z Shadow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Y'z ToolBar.lnk]
backup=C:\WINDOWS\pss\Y'z ToolBar.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-14 03:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-12-17 20:13 3810544 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"OracleOraDb10g_home1TNSListener"=2 (0x2)
"OracleOraDb10g_home1iSQL*Plus"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acer ePresentation HPD"=C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"ntiMUI"=C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\sqldeveloper\\sqldeveloper.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-23 14:00]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-23 13:59]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-23 13:59]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-23 14:00]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 19:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 19:57]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
S2 OracleDBConsoledb0001;OracleDBConsoledb0001;D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe []
S2 OracleDBConsoleroannewd;OracleDBConsoleroannewd;C:\oracle10gr2\product\10.2.0\db_1\bin\nmesrvc.exe []
S3 MySQL41;MySQL41;C:\MySQL\bin\mysqld-nt --defaults-file=C:\MySQL\my.ini MySQL41 []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 OracleOraHomeSNMPPeerEncapsulator;OracleOraHomeSNMPPeerEncapsulator;c:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 11:23]
S3 OracleOraHomeSNMPPeerMasterAgent;OracleOraHomeSNMPPeerMasterAgent;c:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 11:23]
S3 OracleOraHomeTNSListenerLISTENER1;OracleOraHomeTNSListenerLISTENER1;c:\oracle\ora92\BIN\TNSLSNR []
S3 OracleServiceFDP;OracleServiceFDP;c:\oracle\ora92\bin\ORACLE.EXE FDP []
S3 OracleServiceROANDB;OracleServiceROANDB;c:\oracle\ora92\bin\ORACLE.EXE ROANDB []
S4 Apache2.2;Apache2.2;C:\bin\httpd.exe []
S4 OracleDBConsoledbTest;OracleDBConsoledbTest;D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe []
S4 OracleServiceISYSAPCHRDEMO;OracleServiceISYSAPCHRDEMO;c:\oracle\ora92\bin\ORACLE.EXE ISYSAPCHRDEMO []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\33gmhso.bat
\Shell\explore\Command - G:\33gmhso.bat
\Shell\open\Command - G:\33gmhso.bat
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyServer = 16.157.192.224:8888
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 -: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 -: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 -: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://60.248.39.146:1025/RtspVaPgDec.cab
C:\WINDOWS\Downloaded Program Files\RtspVapgDecoder.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 09:22:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-31 9:28:00
ComboFix-quarantined-files.txt 2008-07-31 01:26:43
ComboFix2.txt 2008-07-30 10:46:53
ComboFix3.txt 2008-07-24 11:12:30
ComboFix4.txt 2008-07-22 03:56:22
ComboFix5.txt 2008-07-31 01:07:24

Pre-Run: 25,627,342,336 bytes free
Post-Run: 25,603,030,016 bytes free

205 --- E O F --- 2008-07-11 01:10:16


You might want to look at this too...
HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:34:02 AM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Apache\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\wil\various installers\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 16.157.192.224:8888
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://60.248.39.146:1025/RtspVaPgDec.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Apache\Apache2\bin\Apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: MySQL41 - Unknown owner - C:\MySQL\bin\mysqld-nt (file missing)
O23 - Service: OracleDBConsoledb0001 - Unknown owner - D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleDBConsoleroannewd - Unknown owner - C:\oracle10gr2\product\10.2.0\db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOraHomeAgent - Oracle Corporation - c:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHomeHTTPServer - Unknown owner - c:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHomePagingServer - Unknown owner - c:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHomeSNMPPeerEncapsulator - Unknown owner - c:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHomeSNMPPeerMasterAgent - Unknown owner - c:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHomeTNSListener - Unknown owner - c:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOraHomeTNSListenerLISTENER1 - Unknown owner - c:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceFDP - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceROANDB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10443 bytes
2rone
Regular Member
 
Posts: 20
Joined: July 16th, 2008, 4:06 am

Re: Malware problem

Unread postby Shaba » July 31st, 2008, 1:02 am

Hi

Go to Start > Run
Type regedit and click OK.

  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
    • Leave the "Save As Type" as "Registration Files".
    • Under "Filename" put backup
  • Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
  • Click Save and then go to File > Exit.

Open Notepad and copy the contents of the following box to a new file.

Code: Select all
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] 


Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this -> Image

Go to Desktop, double-click fix.reg and merge the infomation with the registry.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot.

Re-run combofix.

Post back a fresh hijackthis log and a fresh combofix log, please.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware problem

Unread postby 2rone » August 1st, 2008, 12:23 am

Hi
It seems that my laptop is clean now... :)

Here are the logs

COMBOFIX

ComboFix 08-07-29.1 - resty 2008-08-01 11:43:17.8 - NTFSx86
Running from: C:\Documents and Settings\resty\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-07-29 08:47 . 2008-07-29 08:50 <DIR> d-------- C:\Documents and Settings\resty\Application Data\Skype
2008-07-28 15:21 . 2008-07-28 15:21 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-07-28 15:12 . 2008-07-28 15:12 <DIR> d-------- C:\Program Files\Google
2008-07-28 15:12 . 2008-07-30 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-25 17:08 . 2008-02-15 12:45 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2008-07-25 16:56 . 2008-02-15 13:12 5,854,752 --a------ C:\WINDOWS\system32\drivers\igxpmp32.sys
2008-07-25 16:56 . 2008-02-15 13:12 2,643,968 --a------ C:\WINDOWS\system32\igxpdx32.dll
2008-07-25 16:56 . 2008-02-15 13:12 1,670,144 --a------ C:\WINDOWS\system32\igxpdv32.dll
2008-07-25 16:56 . 2008-03-07 12:56 920,088 --a------ C:\WINDOWS\system32\igxpun.exe
2008-07-25 16:56 . 2006-11-10 08:25 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2008-07-25 16:56 . 2008-02-15 12:49 176,128 --a------ C:\WINDOWS\system32\igfxrsky.lrc
2008-07-25 16:56 . 2008-02-15 12:49 172,032 --a------ C:\WINDOWS\system32\igfxrslv.lrc
2008-07-25 16:56 . 2008-02-15 13:12 151,040 --a------ C:\WINDOWS\system32\igxpgd32.dll
2008-07-25 16:56 . 2008-02-15 13:21 147,456 --a------ C:\WINDOWS\system32\igfxCoIn_v4926.dll
2008-07-25 16:56 . 2008-02-15 13:12 57,344 --a------ C:\WINDOWS\system32\igxprd32.dll
2008-07-25 10:39 . 2008-07-25 10:39 <DIR> d-------- C:\Intel
2008-07-24 10:54 . 2008-07-28 19:37 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-23 17:53 . 2008-07-23 17:53 <DIR> d-------- C:\_OTMoveIt
2008-07-23 14:00 . 2008-07-31 19:17 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-23 14:00 . 2008-07-30 08:49 <DIR> d-------- C:\Documents and Settings\resty\Application Data\AVGTOOLBAR
2008-07-23 14:00 . 2008-07-23 14:00 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-23 14:00 . 2008-07-23 14:00 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-23 14:00 . 2008-07-23 14:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-23 13:58 . 2008-07-23 14:12 <DIR> d-------- C:\Program Files\AVG
2008-07-23 13:58 . 2008-07-23 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-08 18:18 . 2008-07-08 18:18 <DIR> d-------- C:\Program Files\Free Download Manager
2008-07-08 18:18 . 2008-07-31 09:06 <DIR> d-------- C:\Documents and Settings\resty\Application Data\Free Download Manager
2008-07-08 18:18 . 2008-07-08 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-07-04 11:20 . 2008-07-04 11:31 <DIR> d-------- C:\GBSI_Data_Uploader
2008-07-04 11:04 . 2008-07-04 11:04 <DIR> d-------- C:\Documents and Settings\resty\Application Data\Macrovision
2008-07-04 11:04 . 2008-07-04 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 03:09 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-31 01:29 --------- d-----w C:\Program Files\Launch Manager
2008-07-29 04:40 --------- d-----w C:\Documents and Settings\resty\Application Data\SQL Developer
2008-07-28 07:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-28 07:21 --------- d-----w C:\Program Files\Skype
2008-07-28 07:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-07-23 05:40 --------- d-----w C:\Program Files\Symantec
2008-07-23 05:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 05:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-23 05:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-21 06:33 --------- d-----w C:\Documents and Settings\resty\Application Data\AdobeUM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 08:48 --------- d-----w C:\Program Files\IzPack
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 01:24 --------- d-----w C:\Program Files\Yahoo!
2008-06-11 01:16 --------- d-----w C:\Program Files\Java
2008-06-09 23:08 --------- d-----w C:\Documents and Settings\resty\Application Data\Vidalia
2008-06-09 23:08 --------- d-----w C:\Documents and Settings\resty\Application Data\tor
2008-06-09 22:05 --------- d-----w C:\Documents and Settings\resty\Application Data\UFOAI
2007-10-08 02:34 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-10-08 02:37 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-21_14.45.36.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-28 07:30:53 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-07-30 08:42:36 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-5464-3428-800000000003}\ARPPRODUCTICON.exe
+ 2008-07-23 06:00:50 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-02-15 04:45:44 102,400 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\hccutils.dll
+ 2008-02-15 04:46:46 159,744 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\hkcmd.exe
+ 2008-02-15 04:54:26 1,589,248 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\ig4dev32.dll
+ 2008-02-15 04:54:38 2,412,544 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\ig4icd32.dll
+ 2008-02-15 04:48:06 524,288 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxcfg.exe
+ 2008-02-15 04:45:40 208,896 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxdev.dll
+ 2008-02-15 04:46:16 135,168 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxdo.dll
+ 2008-02-15 04:46:18 24,576 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxexps.dll
+ 2008-02-15 04:46:16 163,840 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxext.exe
+ 2008-02-15 04:46:18 131,072 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxpers.exe
+ 2008-02-15 04:46:26 204,800 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxpph.dll
+ 2008-02-15 04:45:28 3,293,184 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxress.dll
+ 2008-02-15 04:46:08 48,128 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxsrvc.dll
+ 2008-02-15 04:46:06 249,856 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxsrvc.exe
+ 2008-02-15 04:46:46 135,168 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxtray.exe
+ 2008-02-15 04:45:58 163,840 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igfxzoom.exe
+ 2008-02-15 05:11:56 1,843,784 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igklg400.dll
+ 2008-02-15 05:11:56 1,399,880 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igklg450.dll
+ 2008-02-15 05:01:04 294,912 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igldev32.dll
+ 2008-02-15 05:00:58 2,334,720 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\iglicd32.dll
+ 2008-02-15 05:11:56 104,636 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igmedcompkrn.dll
+ 2008-02-15 05:21:56 147,456 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igxpco32.dll
+ 2008-02-15 05:12:16 1,670,144 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igxpdv32.dll
+ 2008-02-15 05:12:14 2,643,968 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igxpdx32.dll
+ 2008-02-15 05:12:06 151,040 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igxpgd32.dll
+ 2008-02-15 05:12:06 5,854,752 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igxpmp32.sys
+ 2008-02-15 05:12:06 57,344 -c--a-w C:\WINDOWS\system32\DRVSTORE\igxp32_28D4AE6A4B66DD890D24C65EE34E5B62AB7E0BB9\igxprd32.dll
- 2005-11-28 08:50:50 73,728 ----a-w C:\WINDOWS\system32\hccutils.dll
+ 2008-02-15 04:45:44 102,400 ----a-w C:\WINDOWS\system32\hccutils.dll
- 2005-11-28 08:52:00 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2008-02-15 04:46:46 159,744 ----a-w C:\WINDOWS\system32\hkcmd.exe
- 2005-11-28 08:54:36 450,560 ----a-w C:\WINDOWS\system32\igfxcfg.exe
+ 2008-02-15 04:48:06 524,288 ----a-w C:\WINDOWS\system32\igfxcfg.exe
- 2005-11-28 08:51:04 135,168 ----a-w C:\WINDOWS\system32\igfxdev.dll
+ 2008-02-15 04:45:40 208,896 ----a-w C:\WINDOWS\system32\igfxdev.dll
- 2005-11-28 08:52:06 86,016 ----a-w C:\WINDOWS\system32\igfxdo.dll
+ 2008-02-15 04:46:16 135,168 ----a-w C:\WINDOWS\system32\igfxdo.dll
- 2005-11-28 08:55:52 40,960 ----a-w C:\WINDOWS\system32\igfxexps.dll
+ 2008-02-15 04:46:18 24,576 ----a-w C:\WINDOWS\system32\igfxexps.dll
- 2005-11-28 08:55:50 94,208 ----a-w C:\WINDOWS\system32\igfxext.exe
+ 2008-02-15 04:46:16 163,840 ----a-w C:\WINDOWS\system32\igfxext.exe
- 2005-11-28 08:55:58 118,784 ----a-w C:\WINDOWS\system32\igfxpers.exe
+ 2008-02-15 04:46:18 131,072 ----a-w C:\WINDOWS\system32\igfxpers.exe
- 2005-11-28 08:54:58 147,456 ----a-w C:\WINDOWS\system32\igfxpph.dll
+ 2008-02-15 04:46:26 204,800 ----a-w C:\WINDOWS\system32\igfxpph.dll
- 2005-11-28 08:55:04 1,503,232 ----a-w C:\WINDOWS\system32\igfxress.dll
+ 2008-02-15 04:45:28 3,293,184 ----a-w C:\WINDOWS\system32\igfxress.dll
- 2005-11-28 08:51:54 57,344 ----a-w C:\WINDOWS\system32\igfxsrvc.dll
+ 2008-02-15 04:46:08 48,128 ----a-w C:\WINDOWS\system32\igfxsrvc.dll
- 2005-11-28 08:51:52 159,744 ----a-w C:\WINDOWS\system32\igfxsrvc.exe
+ 2008-02-15 04:46:06 249,856 ----a-w C:\WINDOWS\system32\igfxsrvc.exe
- 2005-11-28 08:55:14 98,304 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2008-02-15 04:46:46 135,168 ----a-w C:\WINDOWS\system32\igfxtray.exe
- 2005-11-28 08:55:44 114,688 ----a-w C:\WINDOWS\system32\igfxzoom.exe
+ 2008-02-15 04:45:58 163,840 ----a-w C:\WINDOWS\system32\igfxzoom.exe
- 2005-11-28 09:04:22 524,288 ----a-w C:\WINDOWS\system32\igldev32.dll
+ 2008-02-15 05:01:04 294,912 ----a-w C:\WINDOWS\system32\igldev32.dll
- 2005-11-28 09:02:32 2,310,144 ----a-w C:\WINDOWS\system32\iglicd32.dll
+ 2008-02-15 05:00:58 2,334,720 ----a-w C:\WINDOWS\system32\iglicd32.dll
+ 2008-03-07 04:56:46 61,440 ----a-w C:\WINDOWS\system32\Lang\HDMI\ENU\HDMIENU.dll
+ 2005-11-28 08:50:50 73,728 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\hccutils.dll
+ 2005-11-28 08:52:00 77,824 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\hkcmd.exe
+ 2005-11-28 09:12:04 61,440 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\iAlmCoIn.dll
+ 2005-11-28 09:19:20 899,194 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\ialmdd5.dll
+ 2005-11-28 09:11:50 214,746 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\ialmdev5.dll
+ 2005-11-28 09:12:02 119,419 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\ialmdnt5.dll
+ 2005-11-28 09:20:20 1,353,820 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\ialmnt5.sys
+ 2005-11-28 09:12:04 49,152 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\ialmrem.dll
+ 2005-11-28 09:12:08 36,990 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\ialmrnt5.dll
+ 2005-11-28 08:54:36 450,560 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxcfg.exe
+ 2005-11-28 08:51:04 135,168 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxdev.dll
+ 2005-11-28 08:52:06 86,016 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxdo.dll
+ 2005-11-28 08:55:52 40,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxexps.dll
+ 2005-11-28 08:55:50 94,208 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxext.exe
+ 2005-11-28 08:55:58 118,784 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxpers.exe
+ 2005-11-28 08:54:58 147,456 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxpph.dll
+ 2005-11-28 08:55:04 1,503,232 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxress.dll
+ 2005-11-28 08:51:54 57,344 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxsrvc.dll
+ 2005-11-28 08:51:52 159,744 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxsrvc.exe
+ 2005-11-28 08:55:14 98,304 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxtray.exe
+ 2005-11-28 08:55:44 114,688 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxzoom.exe
+ 2005-11-28 09:04:22 524,288 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igldev32.dll
+ 2005-11-28 09:02:32 2,310,144 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\iglicd32.dll
+ 2005-11-28 08:50:50 73,728 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\hccutils.dll
+ 2005-11-28 08:52:00 77,824 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\hkcmd.exe
+ 2005-11-28 09:12:04 61,440 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\iAlmCoIn.dll
+ 2005-11-28 09:19:20 899,194 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\ialmdd5.dll
+ 2005-11-28 09:11:50 214,746 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\ialmdev5.dll
+ 2005-11-28 09:12:02 119,419 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\ialmdnt5.dll
+ 2005-11-28 09:20:20 1,353,820 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\ialmnt5.sys
+ 2005-11-28 09:12:04 49,152 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\ialmrem.dll
+ 2005-11-28 09:12:08 36,990 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\ialmrnt5.dll
+ 2008-02-15 04:48:06 524,288 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxcfg.exe
+ 2008-02-15 04:45:40 208,896 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxdev.dll
+ 2008-02-15 04:46:16 135,168 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxdo.dll
+ 2008-02-15 04:46:18 24,576 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxexps.dll
+ 2008-02-15 04:46:16 163,840 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxext.exe
+ 2005-11-28 08:55:58 118,784 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxpers.exe
+ 2005-11-28 08:54:58 147,456 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxpph.dll
+ 2005-11-28 08:55:04 1,503,232 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxress.dll
+ 2005-11-28 08:51:54 57,344 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxsrvc.dll
+ 2008-02-15 04:46:06 249,856 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxsrvc.exe
+ 2008-02-15 04:46:46 135,168 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxtray.exe
+ 2008-02-15 04:45:58 163,840 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxzoom.exe
+ 2008-02-15 05:01:04 294,912 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igldev32.dll
+ 2008-02-15 05:00:58 2,334,720 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\iglicd32.dll
+ 2006-06-05 06:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 06:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 06:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-28 15:13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 10:17 102491]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 10:16 692315]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 18:00 345088]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 19:43 401408]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-03-30 16:56 471040]
"ImageItEncrypt"="C:\WINDOWS\system32\ImageItEncrypt.exe" [2005-12-30 17:02 40960]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 01:12 579584]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 18:47 421888]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 17:21 53248]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-23 13:59 1232152]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 12:46 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-15 12:46 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 12:46 131072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - C:\Apache\Apache2\bin\ApacheMonitor.exe [2006-07-27 18:59:08 41042]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
backup=C:\WINDOWS\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^UberIcon.lnk]
backup=C:\WINDOWS\pss\UberIcon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Y'z Shadow.lnk]
backup=C:\WINDOWS\pss\Y'z Shadow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^resty^Start Menu^Programs^Startup^Y'z ToolBar.lnk]
backup=C:\WINDOWS\pss\Y'z ToolBar.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-14 03:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-12-17 20:13 3810544 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"OracleOraDb10g_home1TNSListener"=2 (0x2)
"OracleOraDb10g_home1iSQL*Plus"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acer ePresentation HPD"=C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"ntiMUI"=C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\sqldeveloper\\sqldeveloper.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-23 14:00]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-23 13:59]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-23 13:59]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-23 14:00]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 19:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 19:57]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
S2 OracleDBConsoledb0001;OracleDBConsoledb0001;D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe []
S2 OracleDBConsoleroannewd;OracleDBConsoleroannewd;C:\oracle10gr2\product\10.2.0\db_1\bin\nmesrvc.exe []
S3 MySQL41;MySQL41;C:\MySQL\bin\mysqld-nt --defaults-file=C:\MySQL\my.ini MySQL41 []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []
S3 OracleOraHomeSNMPPeerEncapsulator;OracleOraHomeSNMPPeerEncapsulator;c:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 11:23]
S3 OracleOraHomeSNMPPeerMasterAgent;OracleOraHomeSNMPPeerMasterAgent;c:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 11:23]
S3 OracleOraHomeTNSListenerLISTENER1;OracleOraHomeTNSListenerLISTENER1;c:\oracle\ora92\BIN\TNSLSNR []
S3 OracleServiceFDP;OracleServiceFDP;c:\oracle\ora92\bin\ORACLE.EXE FDP []
S3 OracleServiceROANDB;OracleServiceROANDB;c:\oracle\ora92\bin\ORACLE.EXE ROANDB []
S4 Apache2.2;Apache2.2;C:\bin\httpd.exe []
S4 OracleDBConsoledbTest;OracleDBConsoledbTest;D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe []
S4 OracleServiceISYSAPCHRDEMO;OracleServiceISYSAPCHRDEMO;c:\oracle\ora92\bin\ORACLE.EXE ISYSAPCHRDEMO []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\33gmhso.bat
\Shell\explore\Command - F:\33gmhso.bat
\Shell\open\Command - F:\33gmhso.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\33gmhso.bat
\Shell\explore\Command - G:\33gmhso.bat
\Shell\open\Command - G:\33gmhso.bat
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyServer = 16.157.192.224:8888
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 -: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 -: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 -: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://60.248.39.146:1025/RtspVaPgDec.cab
C:\WINDOWS\Downloaded Program Files\RtspVapgDecoder.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 11:54:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\MySQL41]
"ImagePath"="\"C:\MySQL\bin\mysqld-nt\" --defaults-file=\"C:\MySQL\my.ini\" \"MySQL41\""

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\OracleOraHome92TNSListener]
"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\OracleOraHomePagingServer]
"ImagePath"="c:\oracle\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\OracleOraHomeTNSListener]
"ImagePath"="c:\oracle\ora92\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\OracleOraHomeTNSListenerLISTENER1]
"ImagePath"="c:\oracle\ora92\BIN\TNSLSNR "
.
Completion time: 2008-08-01 12:08:26
ComboFix-quarantined-files.txt 2008-08-01 04:08:04
ComboFix2.txt 2008-07-31 01:28:03
ComboFix3.txt 2008-07-30 10:46:53
ComboFix4.txt 2008-07-24 11:12:30
ComboFix5.txt 2008-08-01 03:41:19

Pre-Run: 13,570,052,096 bytes free
Post-Run: 25,597,219,328 bytes free

325 --- E O F --- 2008-07-11 01:10:16


HJT LOGFILE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:14 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\wil\various installers\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 16.157.192.224:8888
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Apache\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} (RtspVaPgCtrl Class) - http://60.248.39.146:1025/RtspVaPgDec.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Apache\Apache2\bin\Apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: MySQL41 - Unknown owner - C:\MySQL\bin\mysqld-nt (file missing)
O23 - Service: OracleDBConsoledb0001 - Unknown owner - D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleDBConsoleroannewd - Unknown owner - C:\oracle10gr2\product\10.2.0\db_1\bin\nmesrvc.exe (file missing)
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOraHomeAgent - Oracle Corporation - c:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHomeHTTPServer - Unknown owner - c:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHomePagingServer - Unknown owner - c:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHomeSNMPPeerEncapsulator - Unknown owner - c:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHomeSNMPPeerMasterAgent - Unknown owner - c:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHomeTNSListener - Unknown owner - c:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleOraHomeTNSListenerLISTENER1 - Unknown owner - c:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceFDP - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceROANDB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10195 bytes


Anyway what can I do with those hidden folders (FOUND.001,Recycled, etc...) that were generated by combofix?
2rone
Regular Member
 
Posts: 20
Joined: July 16th, 2008, 4:06 am

Re: Malware problem

Unread postby Shaba » August 1st, 2008, 1:30 am

Hi

Those files are not created by combofix; combofix just made hidden folders/files visible :)

Please don't touch them.

Please re-scan with kaspersky and post back a fresh kaspersky report along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware problem

Unread postby 2rone » August 5th, 2008, 6:08 am

Hi

Been busy here...I'll post my scan report by tomorrow... :D
2rone
Regular Member
 
Posts: 20
Joined: July 16th, 2008, 4:06 am

Re: Malware problem

Unread postby Shaba » August 5th, 2008, 8:07 am

Thanks for the info :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 66 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware