 |
 |
| Malware.Trace / Trojan.Vundo - PLEASE HELP CAN'T REMOVE!! |
| 
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-20-2008 3:26 (GMT +1) |   | | Hi
I have a massive problem: I think I have somehow got a trojan installed on my computer. I have run Malware Bytes normal and safe mode (quick scan & full scan), Smitfraud, Virtumondo and Virtumondobegone, Combofix and I dont know else to do!
The 2 files that come up on the Malware bytes scan are: Malware.Trace and Trojan.Vundo - an then in a grey box the following message:
Regedit has been disables and will affect the quarantying process. Malware Bytes' Antimalware will now enable Rgedit.
when I log on to the internet I get adserve.adtech flashing beforei get my homepage of Sky Broadband.
Please Please can someone help me - I really dont want to re-install my hard drive........
thanks in advance | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 11-20-2008 5:07 (GMT +1) | | |
Hello Patel121.
I´ll be glad to help, but it seems to be waste of time, as you have 3 topics with no reply from you:
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-20-2008 12:00 (GMT +1) | | Hello Touch
Fair dues - I asccept that on those occassions I did not reply but that was then and this is now. Please accept my apologies - I would appreciate your assistance if you are still willing to forgive and forget.
I await your reply.
Thanks | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 11-20-2008 1:19 (GMT +1) | | No problem 
Please post the logs from Malwarebyte and combofix
And I assume we can lock your old topics ? 
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-20-2008 4:38 (GMT +1) | | Hi Touck - thanks. Please see below reports requsted as per above post:
Combofix:
ComboFix 08-11-18.A2 - PPATEL 2008-11-20 1:56:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.155 [GMT 0:00]
Running from: c:\documents and settings\PPATEL\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\PPATEL\Application Data\inst.exe
c:\windows\system32\bcanoyfi.dll
c:\windows\system32\cdlfvomy.dll
c:\windows\system32\ewnqzc.dll
c:\windows\system32\fbliaojw.ini
c:\windows\system32\gdlsphoj.dll
c:\windows\system32\mpxa.exe
c:\windows\system32\Pncrt.dll
c:\windows\system32\wxseibmi.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.
2008-11-20 01:38 . 2008-11-20 01:49 <DIR> d-------- c:\program files\RegCure
2008-11-19 11:05 . 2008-11-20 01:58 0 --a------ c:\windows\system32\Sweeper.cfg
2008-11-19 09:57 . 2008-11-19 11:05 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-19 09:57 . 2008-11-19 09:57 <DIR> d-------- c:\documents and settings\PPATEL\Application Data\PC Tools
2008-11-19 09:57 . 2005-07-06 18:13 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-11-19 09:57 . 2005-07-06 18:13 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-11-19 09:57 . 2005-12-13 15:18 50,048 --a------ c:\windows\system32\drivers\ikhlayer.sys
2008-11-19 09:38 . 2008-11-19 09:38 244 --ah----- C:\sqmnoopt11.sqm
2008-11-19 09:38 . 2008-11-19 09:38 232 --ah----- C:\sqmdata11.sqm
2008-11-19 09:19 . 2008-11-19 09:19 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 23:20 . 2008-11-17 23:20 <DIR> d---s---- c:\documents and settings\LocalService\UserData
2008-11-17 22:56 . 2008-11-19 08:58 <DIR> d-------- C:\VundoFix Backups
2008-11-17 18:26 . 2008-11-17 18:26 41,472 --a------ c:\windows\system32\bamfqpkk.dll
2008-11-17 18:21 . 2008-11-17 18:21 0 --a------ C:\psqrhqn.exe
2008-11-17 18:21 . 2008-11-17 18:21 0 --a------ C:\nriljal.exe
2008-11-17 18:21 . 2008-11-17 18:21 0 --a------ C:\naxv.exe
2008-11-17 18:21 . 2008-11-17 18:21 0 --a------ C:\cvqkuk.exe
2008-11-17 18:20 . 2008-11-20 01:59 112,210 --a------ c:\windows\system32\drivers\54d34c18.sys
2008-11-17 18:20 . 2008-11-17 18:20 50,688 --a------ C:\lmggdc.exe
2008-11-17 18:20 . 2008-11-17 18:20 0 --a------ C:\2020570992
2008-11-17 17:48 . 2008-11-17 18:17 <DIR> d-------- c:\program files\VSO
2008-11-17 17:48 . 2008-11-17 18:23 <DIR> d-------- c:\documents and settings\PPATEL\Application Data\Vso
2008-11-17 17:48 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-11-17 17:48 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-11-17 17:48 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-11-17 17:48 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-11-17 17:48 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-11-17 17:48 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-11-17 17:48 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-11-17 17:48 . 2008-11-17 17:48 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-11-17 17:48 . 2008-11-17 17:48 47,360 --a------ c:\documents and settings\PPATEL\Application Data\pcouffin.sys
2008-11-17 17:34 . 2008-11-17 17:34 <DIR> d-------- c:\program files\Super Video Converter
2008-11-17 17:31 . 2008-11-17 17:31 <DIR> d-------- c:\program files\Cucusoft
2008-11-09 23:32 . 2008-11-09 23:32 244 --ah----- C:\sqmnoopt10.sqm
2008-11-09 23:32 . 2008-11-09 23:32 232 --ah----- C:\sqmdata10.sqm
2008-11-09 00:03 . 2008-11-09 00:03 244 --ah----- C:\sqmnoopt09.sqm
2008-11-09 00:03 . 2008-11-09 00:03 232 --ah----- C:\sqmdata09.sqm
2008-11-06 20:35 . 2008-11-06 20:35 244 --ah----- C:\sqmnoopt08.sqm
2008-11-06 20:35 . 2008-11-06 20:35 232 --ah----- C:\sqmdata08.sqm
2008-11-05 20:26 . 2008-11-05 20:26 244 --ah----- C:\sqmnoopt07.sqm
2008-11-05 20:26 . 2008-11-05 20:26 232 --ah----- C:\sqmdata07.sqm
2008-11-02 00:39 . 2008-11-02 00:39 244 --ah----- C:\sqmnoopt06.sqm
2008-11-02 00:39 . 2008-11-02 00:39 232 --ah----- C:\sqmdata06.sqm
2008-10-31 23:51 . 2008-10-31 23:51 244 --ah----- C:\sqmnoopt05.sqm
2008-10-31 23:51 . 2008-10-31 23:51 232 --ah----- C:\sqmdata05.sqm
2008-10-31 17:31 . 2008-10-31 17:31 244 --ah----- C:\sqmnoopt04.sqm
2008-10-31 17:31 . 2008-10-31 17:31 232 --ah----- C:\sqmdata04.sqm
2008-10-30 23:39 . 2008-10-30 23:39 244 --ah----- C:\sqmnoopt03.sqm
2008-10-30 23:39 . 2008-10-30 23:39 232 --ah----- C:\sqmdata03.sqm
2008-10-30 20:45 . 2008-10-30 20:45 244 --ah----- C:\sqmnoopt02.sqm
2008-10-30 20:45 . 2008-10-30 20:45 232 --ah----- C:\sqmdata02.sqm
2008-10-21 20:38 . 2008-10-21 20:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScanSoft
2008-10-21 20:36 . 2008-10-21 20:36 <DIR> d-------- c:\documents and settings\PPATEL\Application Data\ArcSoft
2008-10-21 20:32 . 2008-10-21 20:32 244 --ah----- C:\sqmnoopt01.sqm
2008-10-21 20:32 . 2008-10-21 20:32 232 --ah----- C:\sqmdata01.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 18:11 --------- d-----w c:\program files\McAfee
2008-11-18 18:10 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-11-18 18:06 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-11-18 18:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 16:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 16:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-11 20:38 --------- d-----w c:\program files\Java
2008-10-04 18:54 --------- d-----w c:\program files\Windows Live
2008-10-04 18:49 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-04 18:48 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-08-18 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-18 4841472]
"IW ControlCenter"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-03-12 836096]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-05-05 393728]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Cmaudio"="cmicnfg.cpl" [2003-02-24 c:\windows\CMICNFG.CPL]
"nwiz"="nwiz.exe" [2003-08-18 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\PPATEL\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 2297856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gjhcps.dll ewnqzc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-04 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobiw.sys [2003-04-10 187392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\Drivers\Cdrdrv.sys [2002-12-14 64000]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2006-03-27 167808]
S3 EUG;EUG;c:\docume~1\PPATEL\LOCALS~1\Temp\EUG.exe []
.
Contents of the 'Scheduled Tasks' folder
2008-11-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2008-11-20 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-OemReset - c:\windows\OPTIONS\OEMRESET.EXE
HKU-Default-Run-Spyware Doctor - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com -
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 01:59:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\mucltui.dll 270880 bytes executable
c:\windows\system32\mucltui.dll.mui 29728 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\54d34c18]
"ImagePath"="\SystemRoot\System32\drivers\54d34c18.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\RtlGina2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Doctor\sdhelp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-20 2:04:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 02:04:05
Pre-Run: 58,707,722,240 bytes free
Post-Run: 58,639,060,992 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
205
Malware:
Database version: 1409
Windows 5.1.2600 Service Pack 2
20/11/2008 02:32:47
mbam-log-2008-11-20 (02-32-47).txt
Scan type: Quick Scan
Objects scanned: 46686
Time elapsed: 15 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected) | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 11-20-2008 5:36 (GMT +1) | | Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript
and Save it on the desktop
Killall::
Snapshot::
File::
c:\windows\system32\bamfqpkk.dll
C:\psqrhqn.exe
C:\nriljal.exe
C:\naxv.exe
C:\cvqkuk.exe
c:\windows\system32\drivers\54d34c18.sys
C:\lmggdc.exe
Registry::
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report, along with a hijackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-20-2008 8:07 (GMT +1) | | | Just a quick question:
Once i do the below step - do i have to run combofix?
"Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe" | | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-21-2008 2:24 (GMT +1) | | Hi Touch
I went ahead an ran ComboFix anyway! Please see below report for Combofix an HiJack:
Combofix Report:
ComboFix 08-11-18.A2 - PPATEL 2008-11-21 1:12:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.220 [GMT 0:00]
Running from: c:\documents and settings\PPATEL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\PPATEL\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\cvqkuk.exe
C:\lmggdc.exe
C:\naxv.exe
C:\nriljal.exe
C:\psqrhqn.exe
c:\windows\system32\bamfqpkk.dll
c:\windows\system32\drivers\54d34c18.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\cvqkuk.exe
C:\lmggdc.exe
C:\naxv.exe
C:\nriljal.exe
C:\psqrhqn.exe
c:\windows\system32\bamfqpkk.dll
c:\windows\system32\drivers\54d34c18.sys
.
((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.
2008-11-20 02:56 . 2008-11-20 02:56 <DIR> d--h----- c:\windows\$hf_mig$
2008-11-20 02:00 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-20 02:00 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-20 01:38 . 2008-11-20 01:49 <DIR> d-------- c:\program files\RegCure
2008-11-19 11:05 . 2008-11-20 02:48 0 --a------ c:\windows\system32\Sweeper.cfg
2008-11-19 09:57 . 2005-07-06 18:13 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-11-19 09:57 . 2005-07-06 18:13 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-11-19 09:38 . 2008-11-19 09:38 244 --ah----- C:\sqmnoopt11.sqm
2008-11-19 09:38 . 2008-11-19 09:38 232 --ah----- C:\sqmdata11.sqm
2008-11-19 09:19 . 2008-11-19 09:19 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 23:20 . 2008-11-17 23:20 <DIR> d---s---- c:\documents and settings\LocalService\UserData
2008-11-17 22:56 . 2008-11-19 08:58 <DIR> d-------- C:\VundoFix Backups
2008-11-17 18:20 . 2008-11-17 18:20 0 --a------ C:\2020570992
2008-11-17 17:48 . 2008-11-17 18:17 <DIR> d-------- c:\program files\VSO
2008-11-17 17:48 . 2008-11-17 18:23 <DIR> d-------- c:\documents and settings\PPATEL\Application Data\Vso
2008-11-17 17:48 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-11-17 17:48 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-11-17 17:48 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-11-17 17:48 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-11-17 17:48 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-11-17 17:48 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-11-17 17:48 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-11-17 17:48 . 2008-11-17 17:48 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-11-17 17:48 . 2008-11-17 17:48 47,360 --a------ c:\documents and settings\PPATEL\Application Data\pcouffin.sys
2008-11-17 17:34 . 2008-11-17 17:34 <DIR> d-------- c:\program files\Super Video Converter
2008-11-17 17:31 . 2008-11-17 17:31 <DIR> d-------- c:\program files\Cucusoft
2008-11-09 23:32 . 2008-11-09 23:32 244 --ah----- C:\sqmnoopt10.sqm
2008-11-09 23:32 . 2008-11-09 23:32 232 --ah----- C:\sqmdata10.sqm
2008-11-09 00:03 . 2008-11-09 00:03 244 --ah----- C:\sqmnoopt09.sqm
2008-11-09 00:03 . 2008-11-09 00:03 232 --ah----- C:\sqmdata09.sqm
2008-11-06 20:35 . 2008-11-06 20:35 244 --ah----- C:\sqmnoopt08.sqm
2008-11-06 20:35 . 2008-11-06 20:35 232 --ah----- C:\sqmdata08.sqm
2008-11-05 20:26 . 2008-11-05 20:26 244 --ah----- C:\sqmnoopt07.sqm
2008-11-05 20:26 . 2008-11-05 20:26 232 --ah----- C:\sqmdata07.sqm
2008-11-02 00:39 . 2008-11-02 00:39 244 --ah----- C:\sqmnoopt06.sqm
2008-11-02 00:39 . 2008-11-02 00:39 232 --ah----- C:\sqmdata06.sqm
2008-10-31 23:51 . 2008-10-31 23:51 244 --ah----- C:\sqmnoopt05.sqm
2008-10-31 23:51 . 2008-10-31 23:51 232 --ah----- C:\sqmdata05.sqm
2008-10-31 17:31 . 2008-10-31 17:31 244 --ah----- C:\sqmnoopt04.sqm
2008-10-31 17:31 . 2008-10-31 17:31 232 --ah----- C:\sqmdata04.sqm
2008-10-30 23:39 . 2008-10-30 23:39 244 --ah----- C:\sqmnoopt03.sqm
2008-10-30 23:39 . 2008-10-30 23:39 232 --ah----- C:\sqmdata03.sqm
2008-10-30 20:45 . 2008-10-30 20:45 244 --ah----- C:\sqmnoopt02.sqm
2008-10-30 20:45 . 2008-10-30 20:45 232 --ah----- C:\sqmdata02.sqm
2008-10-21 20:38 . 2008-10-21 20:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScanSoft
2008-10-21 20:36 . 2008-10-21 20:36 <DIR> d-------- c:\documents and settings\PPATEL\Application Data\ArcSoft
2008-10-21 20:32 . 2008-10-21 20:32 244 --ah----- C:\sqmnoopt01.sqm
2008-10-21 20:32 . 2008-10-21 20:32 232 --ah----- C:\sqmdata01.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 18:11 --------- d-----w c:\program files\McAfee
2008-11-18 18:10 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-11-18 18:06 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-11-18 18:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 16:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 16:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-11 20:38 --------- d-----w c:\program files\Java
2008-10-04 18:54 --------- d-----w c:\program files\Windows Live
2008-10-04 18:49 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-04 18:48 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-08-18 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-18 4841472]
"IW ControlCenter"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-03-12 836096]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-05-05 393728]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Cmaudio"="cmicnfg.cpl" [2003-02-24 c:\windows\CMICNFG.CPL]
"nwiz"="nwiz.exe" [2003-08-18 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\PPATEL\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 2297856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gjhcps.dll ewnqzc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-04 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobiw.sys [2003-04-10 187392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\Drivers\Cdrdrv.sys [2002-12-14 64000]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2006-03-27 167808]
S1 54d34c18;54d34c18;c:\windows\system32\drivers\54d34c18.sys []
S3 EUG;EUG;c:\docume~1\PPATEL\LOCALS~1\Temp\EUG.exe []
.
Contents of the 'Scheduled Tasks' folder
2008-11-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2008-11-20 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 01:16:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\RtlGina2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-21 1:21:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-21 01:21:36
ComboFix2.txt 2008-11-20 02:04:15
Pre-Run: 58,557,177,856 bytes free
Post-Run: 58,548,244,480 bytes free
176 --- E O F --- 2008-11-20 02:56:28
HiJack Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:24:05, on 21/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194475174984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199387455921
O20 - AppInit_DLLs: gjhcps.dll ewnqzc.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EUG - Unknown owner - C:\DOCUME~1\PPATEL\LOCALS~1\Temp\EUG.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 5573 bytes | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 11-21-2008 8:34 (GMT +1) | | |
Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript
and Save it on the desktop
Killall::
Snapshot::
File::
c:\windows\system32\bcanoyfi.dll
c:\windows\system32\cdlfvomy.dll
c:\windows\system32\ewnqzc.dll
c:\windows\system32\fbliaojw.ini
c:\windows\system32\gdlsphoj.dll
c:\windows\system32\mpxa.exe
c:\windows\system32\Pncrt.dll
c:\windows\system32\wxseibmi.ini
c:\windows\system32\gjhcps.dll
Driver::
EUG
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report, and tell how things are running.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-21-2008 11:00 (GMT +1) | | Hi Touch
Here's the new report below. When i log on the internet I still get this adserve address flashing at the bottom grey bar before my home page loads up
2008-11-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2008-11-20 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 09:57:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\RtlGina2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-21 9:58:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-21 09:58:55
ComboFix2.txt 2008-11-21 01:21:40
ComboFix3.txt 2008-11-20 02:04:15
Pre-Run: 58,513,563,648 bytes free
Post-Run: 58,516,344,832 bytes free
175 --- E O F --- 2008-11-20 02:56:28 | | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-21-2008 12:32 (GMT +1) | | | shall i re-do the combofix and re-send a report? | | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-21-2008 7:46 (GMT +1) | | Hi Touch - are you based in the UK or USA?? Anyway combofix report again below:
ComboFix 08-11-20.02 - PPATEL 2008-11-21 18:25:50.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.234 [GMT 0:00]
Running from: c:\documents and settings\PPATEL\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.
2008-11-21 01:27 . 2008-11-21 01:27 244 --ah----- C:\sqmnoopt12.sqm
2008-11-21 01:27 . 2008-11-21 01:27 232 --ah----- C:\sqmdata12.sqm
2008-11-20 02:56 . 2008-11-20 02:56 <DIR> d--h----- c:\windows\$hf_mig$
2008-11-20 02:00 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-20 02:00 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-20 01:38 . 2008-11-20 01:49 <DIR> d-------- c:\program files\RegCure
2008-11-19 11:05 . 2008-11-20 02:48 0 --a------ c:\windows\system32\Sweeper.cfg
2008-11-19 09:57 . 2005-07-06 18:13 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-11-19 09:57 . 2005-07-06 18:13 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-11-19 09:38 . 2008-11-19 09:38 244 --ah----- C:\sqmnoopt11.sqm
2008-11-19 09:38 . 2008-11-19 09:38 232 --ah----- C:\sqmdata11.sqm
2008-11-19 09:19 . 2008-11-19 09:19 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 23:20 . 2008-11-17 23:20 <DIR> d---s---- c:\documents and settings\LocalService\UserData
2008-11-17 22:56 . 2008-11-19 08:58 <DIR> d-------- C:\VundoFix Backups
2008-11-17 18:20 . 2008-11-17 18:20 0 --a------ C:\2020570992
2008-11-17 17:48 . 2008-11-17 18:17 <DIR> d-------- c:\program files\VSO
2008-11-17 17:48 . 2008-11-17 18:23 <DIR> d-------- c:\documents and settings\PPATEL\Application Data\Vso
2008-11-17 17:48 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-11-17 17:48 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-11-17 17:48 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-11-17 17:48 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-11-17 17:48 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-11-17 17:48 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-11-17 17:48 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-11-17 17:48 . 2008-11-17 17:48 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-11-17 17:48 . 2008-11-17 17:48 47,360 --a------ c:\documents and settings\PPATEL\Application Data\pcouffin.sys
2008-11-17 17:34 . 2008-11-17 17:34 <DIR> d-------- c:\program files\Super Video Converter
2008-11-17 17:31 . 2008-11-17 17:31 <DIR> d-------- c:\program files\Cucusoft
2008-11-09 23:32 . 2008-11-09 23:32 244 --ah----- C:\sqmnoopt10.sqm
2008-11-09 23:32 . 2008-11-09 23:32 232 --ah----- C:\sqmdata10.sqm
2008-11-09 00:03 . 2008-11-09 00:03 244 --ah----- C:\sqmnoopt09.sqm
2008-11-09 00:03 . 2008-11-09 00:03 232 --ah----- C:\sqmdata09.sqm
2008-11-06 20:35 . 2008-11-06 20:35 244 --ah----- C:\sqmnoopt08.sqm
2008-11-06 20:35 . 2008-11-06 20:35 232 --ah----- C:\sqmdata08.sqm
2008-11-05 20:26 . 2008-11-05 20:26 244 --ah----- C:\sqmnoopt07.sqm
2008-11-05 20:26 . 2008-11-05 20:26 232 --ah----- C:\sqmdata07.sqm
2008-11-02 00:39 . 2008-11-02 00:39 244 --ah----- C:\sqmnoopt06.sqm
2008-11-02 00:39 . 2008-11-02 00:39 232 --ah----- C:\sqmdata06.sqm
2008-10-31 23:51 . 2008-10-31 23:51 244 --ah----- C:\sqmnoopt05.sqm
2008-10-31 23:51 . 2008-10-31 23:51 232 --ah----- C:\sqmdata05.sqm
2008-10-31 17:31 . 2008-10-31 17:31 244 --ah----- C:\sqmnoopt04.sqm
2008-10-31 17:31 . 2008-10-31 17:31 232 --ah----- C:\sqmdata04.sqm
2008-10-30 23:39 . 2008-10-30 23:39 244 --ah----- C:\sqmnoopt03.sqm
2008-10-30 23:39 . 2008-10-30 23:39 232 --ah----- C:\sqmdata03.sqm
2008-10-30 20:45 . 2008-10-30 20:45 244 --ah----- C:\sqmnoopt02.sqm
2008-10-30 20:45 . 2008-10-30 20:45 232 --ah----- C:\sqmdata02.sqm
2008-10-21 20:38 . 2008-10-21 20:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScanSoft
2008-10-21 20:36 . 2008-10-21 20:36 <DIR> d-------- c:\documents and settings\PPATEL\Application Data\ArcSoft
2008-10-21 20:32 . 2008-10-21 20:32 244 --ah----- C:\sqmnoopt01.sqm
2008-10-21 20:32 . 2008-10-21 20:32 232 --ah----- C:\sqmdata01.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 01:23 3,448 ----a-w c:\windows\system32\tmp.reg
2008-11-18 18:11 --------- d-----w c:\program files\McAfee
2008-11-18 18:10 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-11-18 18:06 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-11-18 18:03 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 16:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 16:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-11 20:38 --------- d-----w c:\program files\Java
2008-10-04 18:54 --------- d-----w c:\program files\Windows Live
2008-10-04 18:49 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-04 18:48 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-08-29 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 09:53 61,440 ----a-w c:\windows\system32\dnssd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-08-18 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-18 4841472]
"IW ControlCenter"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-03-12 836096]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-05-05 393728]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Cmaudio"="cmicnfg.cpl" [2003-02-24 c:\windows\CMICNFG.CPL]
"nwiz"="nwiz.exe" [2003-08-18 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\PPATEL\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 2297856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-04 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobiw.sys [2003-04-10 187392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\Drivers\Cdrdrv.sys [2002-12-14 64000]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2006-03-27 167808]
S1 54d34c18;54d34c18;c:\windows\system32\drivers\54d34c18.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-11-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2008-11-20 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com -
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 18:29:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\RtlGina2.dll
.
Completion time: 2008-11-21 18:30:32
ComboFix-quarantined-files.txt 2008-11-21 18:29:59
ComboFix2.txt 2008-11-21 09:58:59
ComboFix3.txt 2008-11-21 01:21:40
ComboFix4.txt 2008-11-20 02:04:15
Pre-Run: 58,518,994,944 bytes free
Post-Run: 58,510,864,384 bytes free
161 --- E O F --- 2008-11-20 02:56:28 | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14350
| Posted 11-21-2008 7:57 (GMT +1) | | | Nope. I´m in Denmark (DK)
The log looks clean. How are things running now ?
Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.
| | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-24-2008 12:40 (GMT +1) | | Hey Touch
I have been away for few days working! So i dont think the problem is clear - when i get home tonighti will post an image as to why......
cheers
| | Back to Top | | |
|
patel121
New Member
Date Joined Apr 2007
Total Posts : 14
| Posted 11-28-2008 12:05 (GMT +1) | | hi touch - sorry not been well past few days!
here the image of what i mean of the website flashing in the grey bar at the bottom when i click 'e' and it loads of my homepage, so i think some sort of bug is still around:
  | | Back to Top | | |
| |
