Software > Computer viruses and spyware
Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)
evilfantasy:
We need to try combofix.
Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)[*]Link #1
[*] Link #2
[*] Link #3[/list]Important! Combofix.exe MUST be saved to and ran from the Desktop.[*] Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
[*]Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.[*] Click this link to see a list of security programs that should be disabled and how to disable them.
[*]If yours is not listed and you don't know how to disable it, please ask.[/list]
[*]Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
[*] Double click combofix.exe & follow the prompts.[*]Choose Yes to accept the Disclaimers.[[/list]
[*] When finished, it will produce a log for you.
[*] Post that log in your next reply.[/list]Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall[*] If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
[*]Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.[/list]
green tea:
Just got home, and finished my Combofix. It didn't reboot to normal mode like the first time though. It was rebooting and then after the Window XP load screen, the monitor just said no signal, and then the pc shut down. Then it rebooted, and I went to Safemode with networking.
ComboFix 08-04-29.5 - User 2008-04-30 18:14:31.8 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.260 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\User\Application Data\ASKS~1
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cxhfywlk.dll
C:\WINDOWS\system32\ewdlftut.dll
C:\WINDOWS\system32\gwqgfnyc.ini
C:\WINDOWS\system32\hiqvdcgt.dll
C:\WINDOWS\system32\hpyqchfc.dll
C:\WINDOWS\system32\jkkKcDvt.dll
C:\WINDOWS\system32\kjbblsww.dll
C:\WINDOWS\system32\lelptvxx.dll
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\oyxyaglt.dll
C:\WINDOWS\system32\rqRJCUon.dll
C:\WINDOWS\system32\tutfldwe.ini
C:\WINDOWS\system32\tvDcKkkj.ini
C:\WINDOWS\system32\tvDcKkkj.ini2
C:\WINDOWS\system32\wgpaftim.dll
C:\WINDOWS\system32\wnbqxspc.dll
C:\WINDOWS\system32\wnvgthhx.dll
C:\WINDOWS\system32\wwslbbjk.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-04-29 21:17 . 2008-04-29 21:17 <DIR> d-------- C:\Program Files\Vcsron
2008-04-29 18:12 . 2008-04-30 18:16 <DIR> d-------- C:\SDFix
2008-04-26 10:26 . 2002-08-29 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 10:26 . 2008-04-26 10:35 578 --a------ C:\WINDOWS\index.html
2008-04-26 10:06 . 2008-04-30 10:10 109,738 --a------ C:\WINDOWS\BM1f8c01e5.xml
2008-04-26 10:00 . 2008-04-26 10:00 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-26 09:59 . 2008-04-26 12:33 <DIR> d--hs---- C:\WINDOWS\VXNlcg
2008-04-26 09:59 . 2008-04-29 00:06 <DIR> d-------- C:\WINDOWS\system32\wTMP
2008-04-26 09:59 . 2008-04-26 09:59 <DIR> d-------- C:\WINDOWS\system32\pnVes06
2008-04-26 09:59 . 2008-04-26 09:59 <DIR> d-------- C:\Temp\zvebs14
2008-04-26 09:59 . 2008-04-26 09:59 <DIR> d-------- C:\Temp\kvebs14
2008-04-26 09:59 . 2008-04-26 09:59 400,585 --a------ C:\WINDOWS\system32\g4.exe
2008-04-22 21:19 . 2008-04-22 21:19 <DIR> d-------- C:\Program Files\BillP Studios
2008-04-22 21:19 . 2008-04-22 21:19 <DIR> d-------- C:\Documents and Settings\User\Application Data\WinPatrol
2008-04-22 21:06 . 2008-04-22 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-22 21:06 . 2008-04-22 21:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-20 10:01 . 2008-04-20 10:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-19 23:35 . 2008-04-19 23:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 23:35 . 2008-04-19 23:35 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-04-19 23:35 . 2008-04-19 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 07:24 --------- d-----w C:\Program Files\SUPERAntiSpyware
2003-03-12 00:39 32 --sha-w C:\WINDOWS\{2FFF1D80-86D2-4182-B08D-B83B0BA71F57}.dat
2003-03-12 00:39 32 --sha-w C:\WINDOWS\system32\{AA0C2FA6-E16C-49D0-B082-57DD9A57705D}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-26 10:02 57344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 09:07 5529600]
"nwiz"="nwiz.exe" [2005-01-26 09:07 1490944 C:\WINDOWS\system32\nwiz.exe]
"Disk Monitor"="C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe" [2008-01-08 08:27 440832]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 09:07 86016]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-07 22:35 455168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 08:27 278528]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-03-12 15:04:53 102400]
InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2003-03-12 15:06:28 147456]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJCUon]
rqRJCUon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7467:TCP"= 7467:TCP:BitComet 7467 TCP
"7467:UDP"= 7467:UDP:BitComet 7467 UDP
R1 GearAspiSys;GearAspiSys;C:\WINDOWS\system32\drivers\gearaspisys.sys [2002-06-24 11:00]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
S1 nvxbarr;nvxbarr;C:\WINDOWS\system32\drivers\nvxbarr.sys []
S2 BT848;CxVCap, WDM Video Capture;C:\WINDOWS\system32\drivers\cxvcap.sys [2002-08-14 20:03]
S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2001-04-11 17:58]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2001-04-11 17:58]
S2 CXTUNER;CxTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\CXTUNER.sys [2002-08-14 19:58]
S2 CXXBAR;CxXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\CXXBAR.sys [2002-08-14 19:58]
S2 nhksrv;Netropa NHK Server;C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
*Newly Created Service* - CXTUNER
*Newly Created Service* - CXXBAR
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 10:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware .ex
- C:\Program Files\AntiSpywareApp
"2008-04-26 03:35:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-04-26 16:17:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:21:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable
scan completed successfully
hidden files: 6
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
.
**************************************************************************
.
Completion time: 2008-04-30 18:26:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 01:26:04
Pre-Run: 4,014,170,112 bytes free
Post-Run: 4,019,470,336 bytes free
167 --- E O F --- 2008-04-09 10:04:51
green tea:
I just tried saving my Combofix log but when I when to click "Save as", notepad automatically closed by itself.
I know the CFScript step is next, but since I can't save the notepad files on my own, can you help save a CFScript.txt for me, and then attach it so I can d/l the entire file. As long as I don't open up notepad and try and save it, I'm ok.
Also, vcsron is still on my Add/Remove list.
evilfantasy:
cfscript log attached.
Drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze
----------
Next:
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files
When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK
Then, go to Start > Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:[*]Temporary Files
[*] Temporary Internet Files
[*] RecycleBin[/list]Agree to the prompt to perform the action...
Next:
Please download ATF Cleaner by Atribuneand save it to your Desktop
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of: [*]Windows Temp
[*] Current User Temp
[*] All Users Temp
[*] Temporary Internet Files
[*] Java Cache[/list]The rest are optional - if you want to remove everything, check Select All
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
It is important to restart the computer after running ATF Cleaner.
Next post
Combofix log
Fresh Hijackthis log
[recovering space - attachment deleted by admin]
green tea:
ComboFix 08-04-29.5 - User 2008-04-30 19:26:35.9 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.326 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\cfscript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\g4.exe
C:\WINDOWS\system32\winpfz33.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\zvebs14
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\g4.exe
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\pnVes06\pnVes061083.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wTMP
C:\WINDOWS\VXNlcg
.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-04-29 21:17 . 2008-04-29 21:17 <DIR> d-------- C:\Program Files\Vcsron
2008-04-29 18:12 . 2008-04-30 18:16 <DIR> d-------- C:\SDFix
2008-04-26 10:26 . 2008-04-26 10:35 578 --a------ C:\WINDOWS\index.html
2008-04-26 10:06 . 2008-04-30 10:10 109,738 --a------ C:\WINDOWS\BM1f8c01e5.xml
2008-04-22 21:19 . 2008-04-22 21:19 <DIR> d-------- C:\Program Files\BillP Studios
2008-04-22 21:19 . 2008-04-22 21:19 <DIR> d-------- C:\Documents and Settings\User\Application Data\WinPatrol
2008-04-22 21:06 . 2008-04-22 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-22 21:06 . 2008-04-22 21:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\Program Files\CleanUp!
2008-04-20 10:01 . 2008-04-20 10:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-19 23:35 . 2008-04-19 23:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 23:35 . 2008-04-19 23:35 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-04-19 23:35 . 2008-04-19 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 07:24 --------- d-----w C:\Program Files\SUPERAntiSpyware
2003-03-12 00:39 32 --sha-w C:\WINDOWS\{2FFF1D80-86D2-4182-B08D-B83B0BA71F57}.dat
2003-03-12 00:39 32 --sha-w C:\WINDOWS\system32\{AA0C2FA6-E16C-49D0-B082-57DD9A57705D}.dat
.
((((((((((((((((((((((((((((( snapshot@2008-04-30_18.25.51.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 01:21:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 02:28:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-01 01:21:26 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-01 02:28:35 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-01 01:21:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-01 02:28:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-01 01:21:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-01 02:28:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-26 10:02 57344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 09:07 5529600]
"nwiz"="nwiz.exe" [2005-01-26 09:07 1490944 C:\WINDOWS\system32\nwiz.exe]
"Disk Monitor"="C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe" [2008-01-08 08:27 440832]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 09:07 86016]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-07 22:35 455168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 08:27 278528]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-03-12 15:04:53 102400]
InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2003-03-12 15:06:28 147456]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_SZ msv1_0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7467:TCP"= 7467:TCP:BitComet 7467 TCP
"7467:UDP"= 7467:UDP:BitComet 7467 UDP
R1 GearAspiSys;GearAspiSys;C:\WINDOWS\system32\drivers\gearaspisys.sys [2002-06-24 11:00]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
R2 BT848;CxVCap, WDM Video Capture;C:\WINDOWS\system32\drivers\cxvcap.sys [2002-08-14 20:03]
R2 CXTUNER;CxTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\CXTUNER.sys [2002-08-14 19:58]
R2 CXXBAR;CxXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\CXXBAR.sys [2002-08-14 19:58]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]
S1 nvxbarr;nvxbarr;C:\WINDOWS\system32\drivers\nvxbarr.sys []
S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2001-04-11 17:58]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2001-04-11 17:58]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 10:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware .ex
- C:\Program Files\AntiSpywareApp
"2008-04-26 03:35:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-04-26 16:17:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 19:29:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable
scan completed successfully
hidden files: 6
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-30 19:33:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 02:33:43
ComboFix2.txt 2008-05-01 01:26:08
Pre-Run: 4,032,126,976 bytes free
Post-Run: 4,015,120,384 bytes free
162 --- E O F --- 2008-04-09 10:04:51
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version