|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
 Posted: Thu Apr 24, 2008 2:51 am Post subject: |
|
|
Oh yeah looks like you fixed the not being able to install my software deal. I tried but cancled out once I saw it was going to work. Going to install it later. Thanks! 
Arc
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Thu Apr 24, 2008 3:01 am Post subject: |
|
|
Hi,
The first log you posted that starts with system, and then kernel does not look like it was posted complete. Could you please check that for me?
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
| Posted: Thu Apr 24, 2008 3:06 am Post subject: |
|
|
Hmm should be except for a ton of hidden .bmp files. I didn't think that was important. I mentioned that the first time I posted one of those logs...not that I expected anyone to remember.
Arc
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Thu Apr 24, 2008 3:22 am Post subject: |
|
|
Please make sure those logs are complete for the important stuff. I don't care about .bmp files. The reason is, I see no sign of the rootkit in the logs you posted. I really need to make sure that the rootkit is gone. Look at the logs yourself, do you see any sign of the rootkit or of NDMONPRONTO?
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
| Posted: Thu Apr 24, 2008 3:26 am Post subject: |
|
|
Ah opps I am a dope. Let me repost it I missed a chunk. Sorry. 
|
|
| Back to top |
|
|
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
| Posted: Thu Apr 24, 2008 3:26 am Post subject: |
|
|
GMER 1.0.14.14316 - http://www.gmer.net
Rootkit scan 2008-04-21 22:57:56
Windows 5.0.2195 Service Pack 4
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0xB7A1CC90] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0xB7A1D0C0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwClose [0xB71A11C2] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwConnectPort [0xB7A1C580] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateDirectoryObject [0xB71A10AE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateFile [0xB71A0184] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB78AECB8] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwCreatePort [0xB7A1C440] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateProcess [0xB719FA36] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateSection [0xB71A0B4C] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwCreateThread [0xB7A1B580] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwDeleteFile [0xB7A1EC30] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwDeleteKey [0xB7A1E050] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB78AF12A] <-- ROOTKIT !!!
SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xBFEA4B23] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB78AE8AA] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwEnumerateKey [0xB7A1E5B0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwEnumerateValueKey [0xB7A1E5C0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwLoadDriver [0xB7A1CB00] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwLoadKey [0xB7A1FD50] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwOpenFile [0xB71A06AA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB78AED2E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB78AE7C8] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwOpenSection [0xB7A1AE00] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB78AE83C] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0xB7A1CE00] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwQueryKey [0xB7A1E590] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB78AEE42] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwReplaceKey [0xB7A1E210] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0xB7A1C7D0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB78AEE02] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwResumeThread [0xB7A1C1C0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSaveKey [0xB7A1E580] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSetContextThread [0xB7A1BCC0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwSetInformationFile [0xB71A0ED8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB78AEF84] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwShutdownSystem [0xB7A1CA40] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSuspendThread [0xB7A1C060] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSystemDebugControl [0xB7A1BF40] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwTerminateProcess [0xB7A1B430] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwTerminateThread [0xB7A1BB50] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwWriteFile [0xB71A0E10] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0xB7A1CF60] <-- ROOTKIT !!!
---- Kernel code sections - GMER 1.0.14 ----
? C:\WINNT\system32\drivers\OAnet.sys Access is denied.
? C:\WINNT\system32\drivers\OAmon.sys Access is denied.
? C:\WINNT\system32\drivers\OADriver.sys Access is denied.
? C:\WINNT\TEMP\mc21.tmp The system cannot find the file specified. !
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BFEA4A33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BFEA4979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BFEA448A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [BFEA46E9] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [BFEA4A5D] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BFEA448A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BFEA4979] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BFEA4A33] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EB563760] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [EB563410] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [EB563470] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [EB563720] \??\C:\WINNT\system32\drivers\OAnet.sys
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [EB563760] \??\C:\WINNT\system32\drivers\OAnet.sys
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Ip OAmon.sys
Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Tcp OAmon.sys
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\Udp OAmon.sys
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp OAmon.sys
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)
---- Services - GMER 1.0.14 ----
Service (*** hidden *** ) NDMONPROTO <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\CurrentControlSet\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
Reg HKLM\SYSTEM\ControlSet002\Services\NDMONPROTO
---- Files - GMER 1.0.14 ----
4664 bytes
---- EOF - GMER 1.0.14 ----
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Thu Apr 24, 2008 3:39 am Post subject: |
|
|
Excellent! The rootkit is gone from the MBR. The only part left is the registry entries, which we can kill. The rootkit itself is not active any longer.
Now, do another image of your MBR and call it newuninfected.dat, then zip both of the MBR images and upload them to the Unknown Files forum, and please make sure to note that these files are not to be scanned by normal malware scanners, and they were posted for me.
It is late for me, and I have been going all day. I will be back to you tomorrow with further instructions; but, if you could run another ComboFix and HJT log, that would be appreciated.
And, other than the A/V alerts, how is the system working now? Have you got Internet access?
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
|
| Back to top |
|
|
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
| Posted: Thu Apr 24, 2008 4:58 am Post subject: |
|
|
ComboFix 08-04-20.1 - X 24/04/2008 0:34:32.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.257 [GMT -7:00]
Running from: C:\Documents and Settings\X\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-24 00:34 . 24/04/08 12:34a 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_468.dat
2008-04-23 22:25 . 23/04/08 10:25p <DIR> d-------- C:\Program Files\CCleaner
2008-04-23 21:55 . 23/04/08 09:55p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_284.dat
2008-04-22 23:05 . 13/04/03 07:09p 81,671 --a------ C:\WINNT\_detmp.3
2008-04-22 23:05 . 24/07/01 02:56p 65,536 --a------ C:\WINNT\_detmp.4
2008-04-21 22:24 . 21/04/08 10:24p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2bc.dat
2008-04-21 21:57 . 21/04/08 09:57p <DIR> d-------- C:\Program Files\HDHacker
2008-04-21 20:58 . 24/04/08 12:33a <DIR> d-------- C:\Documents and Settings\X\Application Data\OnlineArmor
2008-04-21 20:58 . 21/04/08 08:58p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-04-21 20:58 . 17/04/08 05:25a 80,584 --a------ C:\WINNT\system32\drivers\OADriver.sys
2008-04-21 20:58 . 17/04/08 05:25a 32,456 --a------ C:\WINNT\system32\drivers\OAmon.sys
2008-04-21 20:58 . 17/04/08 05:25a 28,872 --a------ C:\WINNT\system32\drivers\oanet.sys
2008-04-21 20:57 . 21/04/08 08:57p <DIR> d-------- C:\Program Files\Tall Emu
2008-04-21 20:57 . 21/04/08 08:57p <DIR> d-------- C:\OnlineArmor
2008-04-21 20:53 . 21/04/08 08:53p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_22c.dat
2008-04-21 00:42 . 22/04/08 11:40p 1,008,840 ---h----- C:\WINNT\ShellIconCache
2008-04-20 12:25 . 01/11/06 01:06p 215,928 --a------ C:\pagedfrg.exe
2008-04-20 12:25 . 20/04/08 12:25p 25,992 --a------ C:\WINNT\system32\pgdfgsvc.exe
2008-04-20 12:25 . 23/07/00 06:58p 8,419 --a------ C:\pagedfrg.hlp
2008-04-20 12:22 . 20/04/08 12:22p <DIR> d-------- C:\Program Files\NT Registry Optimizer
2008-04-20 12:20 . 20/04/08 12:20p <DIR> d-------- C:\Program Files\ERUNT
2008-04-18 23:08 . 18/04/08 11:08p <DIR> d-------- C:\WINNT\ERUNT
2008-04-18 23:02 . 19/04/08 12:38a <DIR> d-------- C:\SDFix
2008-04-11 17:34 . 23/04/08 10:37p 250 --a------ C:\WINNT\gmer.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 05:36 --------- d-----w C:\Program Files\Motive
2008-04-24 05:34 --------- d-----w C:\Program Files\Common Files\Motive
2008-04-24 05:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 06:07 --------- d-----w C:\Program Files\Efficient Networks
2008-04-22 03:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 05:55 --------- d-----w C:\Documents and Settings\X\Application Data\AVG7
2008-04-18 02:06 --------- d-----w C:\Program Files\Trend Micro
2008-03-29 22:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 22:20 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-22 21:00 --------- d-----w C:\Documents and Settings\X\Application Data\Paltalk
2008-03-22 20:57 --------- d-----w C:\Program Files\Paltalk Messenger
2008-03-15 22:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-15 22:12 691,545 ----a-w C:\WINNT\unins000.exe
2008-03-08 19:39 --------- d-----w C:\Program Files\Microsoft Games
2008-03-08 19:38 --------- d-----w C:\Program Files\Doom 3
2008-03-06 03:41 107,888 ----a-w C:\WINNT\system32\CmdLineExt.dll
2008-03-06 03:05 --------- d-----w C:\Program Files\THQ
2003-04-13 14:57 271 ---h--w C:\Program Files\desktop.ini
2003-04-13 14:57 21,952 ---h--w C:\Program Files\folder.htt
2002-07-24 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-03-10 10:05 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.
------- Sigcheck -------
24/07/02 05:00a 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\svchost.exe
24/07/02 05:00a 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\dllcache\svchost.exe
.
((((((((((((((((((((((((((((( snapshot@Sat 2008-04-19_12.58.43.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINNT\erdnt\20-04-2008\ERDNT.EXE
+ 2008-04-20 19:31:55 4,734,976 ----a-w C:\WINNT\erdnt\20-04-2008\Users\00000001\NTUSER.DAT
+ 2008-04-20 19:31:55 430,080 ----a-w C:\WINNT\erdnt\20-04-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINNT\erdnt\AutoBackup\20-04-2008\ERDNT.EXE
+ 2008-04-20 19:29:30 4,734,976 ----a-w C:\WINNT\erdnt\AutoBackup\20-04-2008\Users\00000001\NTUSER.DAT
+ 2008-04-20 19:29:30 430,080 ----a-w C:\WINNT\erdnt\AutoBackup\20-04-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINNT\erdnt\AutoBackup\2008-04-20\ERDNT.EXE
+ 2008-04-20 21:21:03 4,734,976 ----a-w C:\WINNT\erdnt\AutoBackup\2008-04-20\Users\00000001\NTUSER.DAT
+ 2008-04-20 21:21:06 430,080 ----a-w C:\WINNT\erdnt\AutoBackup\2008-04-20\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINNT\erdnt\AutoBackup\21-04-2008\ERDNT.EXE
+ 2008-04-21 07:14:30 4,726,784 ----a-w C:\WINNT\erdnt\AutoBackup\21-04-2008\Users\00000001\NTUSER.DAT
+ 2008-04-21 07:14:31 430,080 ----a-w C:\WINNT\erdnt\AutoBackup\21-04-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINNT\erdnt\AutoBackup\22-04-2008\ERDNT.EXE
+ 2008-04-23 04:32:24 4,747,264 ----a-w C:\WINNT\erdnt\AutoBackup\22-04-2008\Users\00000001\NTUSER.DAT
+ 2008-04-23 04:32:24 430,080 ----a-w C:\WINNT\erdnt\AutoBackup\22-04-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINNT\erdnt\AutoBackup\23-04-2008\ERDNT.EXE
+ 2008-04-24 04:56:46 4,747,264 ----a-w C:\WINNT\erdnt\AutoBackup\23-04-2008\Users\00000001\NTUSER.DAT
+ 2008-04-24 04:56:47 430,080 ----a-w C:\WINNT\erdnt\AutoBackup\23-04-2008\Users\00000002\UsrClass.dat
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
- 2005-03-23 08:31:26 50,808 ----a-w C:\WINNT\system32\perfc009.dat
+ 2008-04-23 05:40:27 50,808 ----a-w C:\WINNT\system32\perfc009.dat
- 2005-03-23 08:31:26 369,124 ----a-w C:\WINNT\system32\perfh009.dat
+ 2008-04-23 05:40:27 369,124 ----a-w C:\WINNT\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [04/09/07 04:40p 6856704]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [19/08/05 07:34p 3084288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NeroCheck"="C:\WINNT\System32\NeroCheck.exe" [22/05/02 02:46p 155648]
"IPInSightLAN 01"="C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" [20/04/02 08:00a 364544]
"IPInSightMonitor 01"="C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" [20/04/02 08:00a 102400]
"Synchronization Manager"="mobsync.exe" [19/06/03 12:05p 111376 C:\WINNT\system32\mobsync.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [25/11/03 10:10p 335872]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [29/03/08 10:37a 79224]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [17/04/08 05:25a 5545536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [19/06/03 12:05p 186640]
C:\Documents and Settings\X\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\DL\Training\Schedule.htm
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 02/11/01 10:50a 24636 C:\WINNT\system32\PCANotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINNT\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bginfo.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bginfo.exe
backup=C:\WINNT\pss\Bginfo.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINNT\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk
backup=C:\WINNT\pss\NetAssistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 27/04/04 03:18p 61440 C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desk Buddy Lite]
C:\Program Files\Jalco Software\Desk Buddy Lite\DeskBud.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 17/02/05 09:37a 2903636 C:\Program Files\ICQLite\ICQLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEXPLORE.EXE]
--a------ 29/08/02 08:14a 91136 C:\Program Files\Internet Explorer\IEXPLORE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 23/02/06 04:45p 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 29/03/06 11:05p 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 08/06/03 01:47a 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 04/02/02 11:32p 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program files\valve\steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 22/02/04 11:44p 32881 C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 19/06/03 12:05p 111376 C:\WINNT\system32\mobsync.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tray Temperature]
C:\DOCUME~1\X\LOCALS~1\Temp\MiniBug.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll
R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [29/03/08 10:31a]
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [11/03/07 08:26p]
R1 LUMDriver;LUMDriver;C:\WINNT\system32\drivers\LUMDriver.sys [23/04/05 01:21a]
R1 OADevice;OADriver;C:\WINNT\system32\drivers\OADriver.sys [17/04/08 05:25a]
R1 OAmon;OAmon;C:\WINNT\system32\drivers\OAmon.sys [17/04/08 05:25a]
R1 OAnet;OAnet;C:\WINNT\system32\drivers\OAnet.sys [17/04/08 05:25a]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [17/01/08 08:34a]
R2 BBDemon;Backbone Service;C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe [29/01/05 01:12p]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [19/06/03 12:05p]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [19/06/03 12:05p]
S2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [17/04/08 05:25a]
S3 AdLM;Autodesk License Manager;C:\WINNT\System32\ad_elmd.exe [11/04/00 08:20p]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 00:15:00 C:\WINNT\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 00:39:04
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINNT\TEMP\mc21.tmp"
.
Completion time: 24/04/2008 0:44:37
ComboFix-quarantined-files.txt 2008-04-24 07:44:31
ComboFix2.txt 2008-04-20 21:31:01
ComboFix3.txt 2008-04-19 19:58:53
Pre-Run: 13,885,390,848 bytes free
Post-Run: 13,879,468,032 bytes free
190
|
|
| Back to top |
|
|
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
| Posted: Thu Apr 24, 2008 4:59 am Post subject: |
|
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:09 AM, on 24/04/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\X\Application Data\Mozilla\Profiles\default\e5y90uyt.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PRDIE - {A8FA9135-E1DD-4AA8-971A-1FE4DCEE6365} - C:\Program Files\Privacy Defender\prd.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194763853046
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT5\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - http://www.movie-browser.com/tl4000.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\MDT5\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT5\AcPreview.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Autodesk License Manager (AdLM) - Unknown owner - C:\WINNT\System32\ad_elmd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Prot Antivirus Update Monitor - Unknown owner - C:\Program Files\FSI\F-Prot\fpavupdm.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O24 - Desktop Component 0: (no name) - C:\DL\Training\Schedule.htm
--
End of file - 11742 bytes
|
|
| Back to top |
|
|
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Thu Apr 24, 2008 10:46 pm Post subject: |
|
|
| arc wrote: | Now I'm going to go to bed and have sweet dreams of finding whoever wrote this Root kit.  |
While carrying a shotgun I hope!
OK, let's kill this thing. BTW, I am also killing your MiniBug which is considered adware. Delete any remaining folders or files for it, and get the Forecastfox Enhanced extension. I am also getting rid of Privacy Defender which is considered a rogue; and WildTangent which is considered adware. See here for more information on rogues:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
I am also disabling the AVG real-time mail and file scanning services, but leaving the update service alive. That won't cause conflicts.
1. Open notepad, go to the format menu, uncheck Word Wrap, and then copy/paste the text in the code box below into it:
| Code: |
KILLALL::
File::
C:\WINNT\_detmp.3
C:\WINNT\_detmp.4
C:\DOCUME~1\X\LOCALS~1\Temp\MiniBug.exe
Folder::
C:\Program Files\Privacy Defender
C:\Program Files\WildTangent
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDMONPROTO]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDMONPROTO]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NDMONPROTO]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NDMONPROTO]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tray Temperature]
Driver::
NDMONPROTO
Avg7Alrt
AVGEMS
Avg7RsNT
|
Save this to your Desktop as CFScript.txt.
2. Close all open browsers.
3. Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.
4. Run GMER one more time and capture the log.
5. Please post the following:
a. combofix.txt
b. the GMER log
c. a fresh HJT log
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
Arc
Corporal
Joined: Apr 15, 2008
Posts: 74
Location: Canada
|
|
| Back to top |
| |
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
