Thread: [Resolved] here is my first
View Single Post
  #2 (permalink)  
Old 21-06-2009, 07:38 PM
broni's Avatar
broni broni is offline
Senior Member
  
Join Date: Nov 2004
Posts: 2,268
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Resolved] here is my first
Please, don't use code wrap. The log is harder to read.

ComboFix 09-06-20.02 - Bilosta 06/21/2009 16:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1742 [GMT 3:00]
Running from: c:\documents and settings\Bilosta\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SKYNETxnbmolwb.sys
c:\windows\system32\SKYNETbqpqqmkj.dat
c:\windows\system32\SKYNETlclfkawe.dll
c:\windows\system32\SKYNETvmpqagtt.dat
c:\windows\system32\SKYNETyueempdv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETornmbciq


((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-21 11:53 . 2009-06-21 11:53 -------- d-----w- c:\documents and settings\Kurucity\Application Data\ESET
2009-06-21 11:52 . 2009-06-21 11:52 -------- d-----w- c:\program files\ESET
2009-06-21 11:52 . 2009-06-21 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-21 11:50 . 2009-06-21 11:50 -------- d-----w- c:\program files\InstallShield Installation Information
2009-06-21 11:34 . 2009-06-21 11:34 -------- d-----w- c:\documents and settings\Kurucity\Local Settings\Application Data\GHISLER
2009-06-21 11:28 . 2009-06-21 11:28 0 ----a-w- c:\windows\nsreg.dat
2009-06-21 11:28 . 2009-06-21 11:28 -------- d-----w- c:\documents and settings\Kurucity\Local Settings\Application Data\Mozilla
2009-06-21 11:26 . 2009-06-21 11:26 -------- d-sh--w- c:\documents and settings\Kurucity\IECompatCache
2009-06-21 11:26 . 2009-06-21 11:26 -------- d-sh--w- c:\documents and settings\Kurucity\PrivacIE
2009-06-21 11:23 . 2009-06-21 11:27 -------- d-----w- C:\totalcmd
2009-06-21 11:23 . 2009-06-21 11:23 -------- d-----w- c:\documents and settings\Kurucity\Application Data\GHISLER
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\UC.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\RAR.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\PKZIP.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\PKUNZIP.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\NOCLOSE.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\LHA.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\ARJ.PIF
2009-06-21 11:22 . 2008-04-13 21:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-06-21 11:22 . 2008-04-13 21:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-21 07:03 . 2009-06-21 07:03 -------- d-----w- c:\program files\microsoft frontpage
2009-06-21 07:00 . 2009-06-21 07:00 84760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-21 07:00 . 2009-06-21 07:00 -------- d-----w- c:\program files\MSBuild
2009-06-21 07:00 . 2009-06-21 07:00 -------- d-----w- c:\program files\Reference Assemblies
2009-06-21 06:57 . 2009-06-21 06:56 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-21 06:55 . 2009-06-21 06:55 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-21 06:51 . 2009-06-21 06:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-21 06:50 . 2009-06-21 06:50 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-21 06:49 . 2009-06-21 06:49 -------- d-----w- c:\program files\Microsoft
2009-06-21 06:49 . 2009-06-21 06:49 -------- d-----w- c:\program files\Windows Live
2009-06-21 06:48 . 2009-06-21 06:48 -------- d-----w- c:\program files\MSXML 4.0
2009-06-21 06:47 . 2009-06-21 06:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-14 12:49 . 2009-05-14 12:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 12:49 . 2009-05-14 12:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 12:49 . 2009-05-14 12:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-05-14 12:47 . 2009-05-14 12:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 12:41 . 2009-05-14 12:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2007-02-26 437160]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
.
Contents of the 'Scheduled Tasks' folder

2009-06-21 c:\windows\Tasks\User_Feed_Synchronization-{B5FB382B-BCBD-4300-8133-B432938347A2}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 03:31]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://linklol.com/homepage/
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-21 16:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2009-06-21 16:03
ComboFix-quarantined-files.txt 2009-06-21 13:03

Pre-Run: 70,562,025,472 bytes free
Post-Run: 70,638,682,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

162
__________________
My Home Page
Reply With Quote