Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » [Active] Persistent Win32:Rootkit-gen (Rtk)

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

[Active] Persistent Win32:Rootkit-gen (Rtk)

Reply
Page 2 of 4 1 2 34
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #11 (permalink)  
Old 28-06-2009, 07:10 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,273
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.


2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\system32\4041241291.dat
c:\windows\winstart.bat
c:\windows\system32\drivers\Partizan.sys
c:\windows\system32\Partizan.exe
c:\windows\system32\drivers\lhllpn.sys
c:\windows\system32\drivers\chlixoxc.sys
c:\windows\system32\drivers\wwzbgb.sys
c:\windows\system32\Drivers\Winkq62.sys
c:\windows\system32\drivers\d1d76351.sys
c:\windows\system32\drivers\e43d787d.sys
c:\docume~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe
c:\windows\system32\drivers\Partizan.sys
c:\docume~1\ADMINI~1\LOCALS~1\Temp\FJL.exe
C:\sccfg.sys

Folder::
C:\FOUND.060
C:\FOUND.059
C:\FOUND.058
C:\FOUND.057
C:\FOUND.056
C:\FOUND.055
C:\FOUND.054
C:\FOUND.053
C:\FOUND.052
C:\FOUND.051
C:\FOUND.050
C:\FOUND.049


Driver::
abp470n5
dfzIw
kxzkm
Winkq62
Yla19
d1d76351
e43d787d
muxrxroeg
partizan
fjl

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq62.sys]

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 28-06-2009, 07:47 PM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 19
bir_25 Is a beginner here at D-A-L
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
Combofix log
-------------------------------------------------------------------------------------------
ComboFix 09-06-26.02 - Administrator 06/28/2009 23:59.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126.26 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\docume~1\ADMINI~1\LOCALS~1\Temp\FJL.exe"
"c:\docume~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG. exe"
"C:\sccfg.sys"
"c:\windows\system32\4041241291.dat"
"c:\windows\system32\drivers\chlixoxc.sys"
"c:\windows\system32\drivers\d1d76351.sys"
"c:\windows\system32\drivers\e43d787d.sys"
"c:\windows\system32\drivers\lhllpn.sys"
"c:\windows\system32\drivers\Partizan.sys"
"c:\windows\system32\Drivers\Winkq62.sys"
"c:\windows\system32\drivers\wwzbgb.sys"
"c:\windows\system32\Partizan.exe"
"c:\windows\winstart.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.049
c:\found.049\FILE0000.CHK
c:\found.049\FILE0001.CHK
c:\found.049\FILE0002.CHK
c:\found.049\FILE0003.CHK
c:\found.049\FILE0004.CHK
c:\found.049\FILE0005.CHK
c:\found.049\FILE0006.CHK
c:\found.049\FILE0007.CHK
C:\FOUND.050
c:\found.050\FILE0000.CHK
C:\FOUND.051
c:\found.051\FILE0000.CHK
c:\found.051\FILE0001.CHK
C:\FOUND.052
c:\found.052\FILE0000.CHK
c:\found.052\FILE0001.CHK
c:\found.052\FILE0002.CHK
c:\found.052\FILE0003.CHK
c:\found.052\FILE0004.CHK
c:\found.052\FILE0005.CHK
c:\found.052\FILE0006.CHK
c:\found.052\FILE0007.CHK
c:\found.052\FILE0008.CHK
c:\found.052\FILE0009.CHK
c:\found.052\FILE0010.CHK
c:\found.052\FILE0011.CHK
c:\found.052\FILE0012.CHK
c:\found.052\FILE0013.CHK
c:\found.052\FILE0014.CHK
c:\found.052\FILE0015.CHK
c:\found.052\FILE0016.CHK
c:\found.052\FILE0017.CHK
c:\found.052\FILE0018.CHK
c:\found.052\FILE0019.CHK
c:\found.052\FILE0020.CHK
c:\found.052\FILE0021.CHK
c:\found.052\FILE0022.CHK
C:\FOUND.053
c:\found.053\FILE0000.CHK
c:\found.053\FILE0001.CHK
c:\found.053\FILE0002.CHK
c:\found.053\FILE0003.CHK
c:\found.053\FILE0004.CHK
c:\found.053\FILE0005.CHK
c:\found.053\FILE0006.CHK
c:\found.053\FILE0007.CHK
c:\found.053\FILE0008.CHK
c:\found.053\FILE0009.CHK
c:\found.053\FILE0010.CHK
c:\found.053\FILE0011.CHK
c:\found.053\FILE0012.CHK
c:\found.053\FILE0013.CHK
c:\found.053\FILE0014.CHK
C:\FOUND.054
c:\found.054\FILE0000.CHK
c:\found.054\FILE0001.CHK
c:\found.054\FILE0002.CHK
c:\found.054\FILE0003.CHK
c:\found.054\FILE0004.CHK
c:\found.054\FILE0005.CHK
c:\found.054\FILE0006.CHK
c:\found.054\FILE0007.CHK
c:\found.054\FILE0008.CHK
c:\found.054\FILE0009.CHK
c:\found.054\FILE0010.CHK
c:\found.054\FILE0011.CHK
c:\found.054\FILE0012.CHK
c:\found.054\FILE0013.CHK
c:\found.054\FILE0014.CHK
c:\found.054\FILE0015.CHK
c:\found.054\FILE0016.CHK
c:\found.054\FILE0017.CHK
c:\found.054\FILE0018.CHK
c:\found.054\FILE0019.CHK
c:\found.054\FILE0020.CHK
c:\found.054\FILE0021.CHK
c:\found.054\FILE0022.CHK
c:\found.054\FILE0023.CHK
c:\found.054\FILE0024.CHK
c:\found.054\FILE0025.CHK
c:\found.054\FILE0026.CHK
c:\found.054\FILE0027.CHK
c:\found.054\FILE0028.CHK
c:\found.054\FILE0029.CHK
c:\found.054\FILE0030.CHK
c:\found.054\FILE0031.CHK
c:\found.054\FILE0032.CHK
c:\found.054\FILE0033.CHK
c:\found.054\FILE0034.CHK
c:\found.054\FILE0035.CHK
c:\found.054\FILE0036.CHK
c:\found.054\FILE0037.CHK
c:\found.054\FILE0038.CHK
c:\found.054\FILE0039.CHK
c:\found.054\FILE0040.CHK
c:\found.054\FILE0041.CHK
c:\found.054\FILE0042.CHK
c:\found.054\FILE0043.CHK
c:\found.054\FILE0044.CHK
c:\found.054\FILE0045.CHK
c:\found.054\FILE0046.CHK
c:\found.054\FILE0047.CHK
c:\found.054\FILE0048.CHK
c:\found.054\FILE0049.CHK
c:\found.054\FILE0050.CHK
c:\found.054\FILE0051.CHK
c:\found.054\FILE0052.CHK
c:\found.054\FILE0053.CHK
c:\found.054\FILE0054.CHK
c:\found.054\FILE0055.CHK
c:\found.054\FILE0056.CHK
c:\found.054\FILE0057.CHK
c:\found.054\FILE0058.CHK
c:\found.054\FILE0059.CHK
c:\found.054\FILE0060.CHK
c:\found.054\FILE0061.CHK
c:\found.054\FILE0062.CHK
c:\found.054\FILE0063.CHK
c:\found.054\FILE0064.CHK
c:\found.054\FILE0065.CHK
c:\found.054\FILE0066.CHK
c:\found.054\FILE0067.CHK
c:\found.054\FILE0068.CHK
c:\found.054\FILE0069.CHK
c:\found.054\FILE0070.CHK
c:\found.054\FILE0071.CHK
c:\found.054\FILE0072.CHK
c:\found.054\FILE0073.CHK
C:\FOUND.055
c:\found.055\FILE0000.CHK
c:\found.055\FILE0001.CHK
c:\found.055\FILE0002.CHK
c:\found.055\FILE0003.CHK
C:\FOUND.056
c:\found.056\FILE0000.CHK
c:\found.056\FILE0001.CHK
c:\found.056\FILE0002.CHK
c:\found.056\FILE0003.CHK
c:\found.056\FILE0004.CHK
c:\found.056\FILE0005.CHK
c:\found.056\FILE0006.CHK
c:\found.056\FILE0007.CHK
c:\found.056\FILE0008.CHK
c:\found.056\FILE0009.CHK
c:\found.056\FILE0010.CHK
c:\found.056\FILE0011.CHK
c:\found.056\FILE0012.CHK
c:\found.056\FILE0013.CHK
c:\found.056\FILE0014.CHK
c:\found.056\FILE0015.CHK
c:\found.056\FILE0016.CHK
c:\found.056\FILE0017.CHK
c:\found.056\FILE0018.CHK
c:\found.056\FILE0019.CHK
c:\found.056\FILE0020.CHK
c:\found.056\FILE0021.CHK
c:\found.056\FILE0022.CHK
c:\found.056\FILE0023.CHK
c:\found.056\FILE0024.CHK
c:\found.056\FILE0025.CHK
c:\found.056\FILE0026.CHK
c:\found.056\FILE0027.CHK
c:\found.056\FILE0028.CHK
c:\found.056\FILE0029.CHK
c:\found.056\FILE0030.CHK
c:\found.056\FILE0031.CHK
c:\found.056\FILE0032.CHK
c:\found.056\FILE0033.CHK
C:\FOUND.057
c:\found.057\FILE0000.CHK
c:\found.057\FILE0001.CHK
c:\found.057\FILE0002.CHK
C:\FOUND.058
c:\found.058\FILE0000.CHK
C:\FOUND.059
c:\found.059\FILE0000.CHK
c:\found.059\FILE0001.CHK
C:\FOUND.060
c:\found.060\FILE0000.CHK
c:\windows\system32\4041241291.dat
c:\windows\system32\drivers\Partizan.sys
c:\windows\system32\Partizan.exe
c:\windows\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Legacy_fjl
-------\Legacy_muxrxroeg
-------\Legacy_PARTIZAN
-------\Legacy_YLA19
-------\Service_abp470n5
-------\Service_d1d76351
-------\Service_dfzIw
-------\Service_e43d787d
-------\Service_fjl
-------\Service_kxzkm
-------\Service_muxrxroeg
-------\Service_partizan
-------\Service_Winkq62
-------\Service_Yla19


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-28 16:57 . 2009-06-28 16:57 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-27 09:13 . 2009-06-27 09:13 3631375 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-26 16:33 . 2009-06-26 16:33 -------- d--h--w- c:\windows\$hf_mig$
2009-06-08 14:41 . 2009-06-08 14:41 -------- d-----w- c:\program files\Mario Forever Toolbar
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\program files\Winamp
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-05-31 17:36 . 2007-02-25 10:06 383238 ----a-w- c:\windows\system32\libmp3lame-0.dll
2009-05-31 17:36 . 2006-11-01 09:22 765952 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-31 17:36 . 2007-02-28 22:48 4762112 ----a-w- c:\windows\system32\NCMedia.dll
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\98348586
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\18338594

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-28 07:50 . 2008-01-09 15:32 499712 ----a-w- c:\windows\system32\igfxtray.exe
2009-06-25 05:55 . 2008-05-16 10:32 60 ----a-w- c:\windows\wpd99.drv
2009-06-17 05:57 . 2009-05-27 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:57 . 2009-05-27 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 14:58 . 2009-05-28 06:44 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-05-28 06:41 . 2009-05-28 06:41 -------- d-----w- c:\program files\Greatis
2009-05-27 19:07 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-27 18:21 . 2009-05-27 18:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 18:06 . 2009-05-25 18:06 -------- d-----w- c:\program files\Trend Micro
2009-05-18 16:58 . 2008-01-09 15:40 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 14:36 . 2009-05-12 14:36 -------- d-----w- c:\program files\PublicSoft
2009-05-12 08:43 . 2009-05-12 08:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fast Torrent
2009-05-08 08:49 . 2009-05-08 08:49 -------- d-----w- c:\program files\WinDjView
2009-05-07 15:46 . 2009-05-07 15:45 162816 ----a-w- c:\windows\system32\fmod.dll
2009-05-07 15:20 . 2009-05-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-07 15:11 . 2009-05-07 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
.

------- Sigcheck -------

[-] 2004-08-03 12:14 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\system32\drivers\tcpip.sys
[-] 2004-08-03 12:14 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-28_16.56.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-28 18:33 . 2009-06-28 18:34 16384 c:\windows\temp\Perflib_Perfdata_cf0.dat
+ 2009-06-28 18:39 . 2009-06-28 18:39 16384 c:\windows\temp\Perflib_Perfdata_6fc.dat
+ 2009-06-28 16:57 . 2004-08-03 13:56 82944 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-28 16:57 . 2004-08-03 13:56 24576 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-28 16:57 . 2004-08-03 13:56 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-28 16:57 . 2004-08-03 13:56 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-28 16:57 . 2004-08-03 13:56 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-28 16:57 . 2004-08-03 13:56 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-28 16:57 . 2004-08-03 11:58 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-28 16:57 . 2004-08-03 12:00 29056 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-28 16:57 . 2004-08-03 13:56 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-28 16:57 . 2004-08-03 19:26 111104 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-28 16:57 . 2004-08-03 13:56 502272 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-28 16:57 . 2004-08-03 13:56 656384 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-28 16:57 . 2004-08-03 13:56 577024 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-28 16:57 . 2004-08-03 19:26 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-28 16:57 . 2004-08-03 13:56 108032 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-28 16:57 . 2004-08-03 12:14 182912 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-28 16:57 . 2004-08-03 13:56 983552 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-28 16:57 . 2004-08-03 13:56 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-28 16:57 . 2004-08-03 13:56 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-28 16:57 . 2004-08-03 13:56 1580544 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-28 16:57 . 2004-08-03 12:20 2180992 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-28 16:57 . 2004-08-03 14:05 2056832 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-28 16:57 . 2004-08-03 13:56 1032192 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-28 499712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-09-08 114688]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-04-24 132608]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"e:\\Program Files\\Rediff Bol\\RediffMessenger.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\hkcmd.exe"= c:\\WINDOWS\\system32\\hkcmd.exe
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\3quuvdu7.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThise.exe"=
"e:\\Program Files\\Mario Forever\\Mario Forever.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\WINDOWS\\system32\\CF20662.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2008 5:17 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [4/2/2008 5:17 PM 20560]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [1/9/2008 9:10 PM 18004]
S2 AdobeHidServ;Adobe LM Service AdobeHidServ; srv --> srv [?]
S2 ALGlanmanserverWmi;Application Layer Gateway Service ALGlanmanserverWmi; srv --> srv [?]
S2 AudioSrvRemoteAccess;Windows Audio AudioSrvRemoteAccess; srv --> srv [?]
S2 AudioSrvScheduleThemesose;Windows Audio AudioSrvScheduleThemesose; srv --> srv [?]
S2 AudioSrvUPSWZCSVC;Windows Audio AudioSrvUPSWZCSVC; srv --> srv [?]
S2 avast!lanmanserverWmiNetDDE;avast! Web Scanner avast!lanmanserverWmiNetDDE; srv --> srv [?]
S2 dmadminSCardSvr;Logical Disk Manager Administrative Service dmadminSCardSvr; srv --> srv [?]
S2 dmserverBITS;Logical Disk Manager dmserverBITS; srv --> srv [?]
S2 ERSvcNtLmSsp;Error Reporting Service ERSvcNtLmSsp; srv --> srv [?]
S2 ERSvcRemoteRegistryAdobeHidServ;Error Reporting Service ERSvcRemoteRegistryAdobeHidServ; srv --> srv [?]
S2 EventlogDhcp;Event Log EventlogDhcp; srv --> srv [?]
S2 EventSystemWZCSVC;COM+ Event System EventSystemWZCSVC; srv --> srv [?]
S2 lanmanserverWmi;Server lanmanserverWmi; srv --> srv [?]
S2 lanmanserverWmiNetDDE;Server lanmanserverWmi lanmanserverWmiNetDDE; srv --> srv [?]
S2 LmHostsAudioSrvRemoteAccess;TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess; srv --> srv [?]
S2 LmHostsMSIServerRemoteRegistry;TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry; srv --> srv [?]
S2 MSIServerRemoteRegistry;Windows Installer MSIServerRemoteRegistry; srv --> srv [?]
S2 MSIServerRemoteRegistryRemoteAccess;Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess; srv --> srv [?]
S2 NetDDEAppMgmt;Network DDE NetDDEAppMgmt; srv --> srv [?]
S2 NetDDEdsdmFastUserSwitchingCompatibility;Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility; srv --> srv [?]
S2 NetlogonNetDDEdsdm;Net Logon NetlogonNetDDEdsdm; srv --> srv [?]
S2 NetlogonW32Time;Net Logon NetlogonW32Time; srv --> srv [?]
S2 PlugPlayThemes;Plug and Play PlugPlayThemes; srv --> srv [?]
S2 RemoteRegistryAdobeHidServ;Remote Registry RemoteRegistryAdobeHidServ; srv --> srv [?]
S2 RemoteRegistryMSIServer;Remote Registry RemoteRegistryMSIServer; srv --> srv [?]
S2 RpcSsxmlprov;Remote Procedure Call (RPC) RpcSsxmlprov; srv --> srv [?]
S2 RSVPTermService;QoS RSVP RSVPTermService; srv --> srv [?]
S2 RSVPUPSWZCSVC;QoS RSVP RSVPUPSWZCSVC; srv --> srv [?]
S2 ScheduleThemes;Schedule ScheduleThemes; srv --> srv [?]
S2 ScheduleThemesose;Schedule ScheduleThemes ScheduleThemesose; srv --> srv [?]
S2 SpoolerNetlogonNetDDEdsdm;Print Spooler SpoolerNetlogonNetDDEdsdm; srv --> srv [?]
S2 TapiSrvLmHosts;Telephony TapiSrvLmHosts; srv --> srv [?]
S2 TermServiceUMWdf;Terminal Services TermServiceUMWdf; srv --> srv [?]
S2 UPSThemes;Uninterruptible Power Supply UPSThemes; srv --> srv [?]
S2 UPSWZCSVC;Uninterruptible Power Supply UPSWZCSVC; srv --> srv [?]
S2 UPSWZCSVCWmiApSrvEventlogDhcp;Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp; srv --> srv [?]
S2 W32TimeHTTPFilter;Windows Time W32TimeHTTPFilter; srv --> srv [?]
S2 WmiApSrvEventlogDhcp;WMI Performance Adapter WmiApSrvEventlogDhcp; srv --> srv [?]
S2 WZCSVCMSIServer;Wireless Zero Configuration WZCSVCMSIServer; srv --> srv [?]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [3/30/2009 2:47 PM 48896]
S3 regguard;RegGuard;c:\windows\system32\drivers\regg uard.sys [5/28/2009 12:14 PM 29584]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2009-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 16:14]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orissalinks.com/archive
IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyi0rjd6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Ehu&q=displacement+current+filety pe%3Aswf&btnG=Search&meta=
FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-29 00:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 8192 bytes

scan completed successfully
hidden files: 1

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A dobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A LGlanmanserverWmi]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvScheduleThemesose]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvUPSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\a vast!lanmanserverWmiNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d madminSCardSvr]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d mserverBITS]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E RSvcNtLmSsp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E RSvcRemoteRegistryAdobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventSystemWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\l anmanserverWmi]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\l anmanserverWmiNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\L mHostsAudioSrvRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\L mHostsMSIServerRemoteRegistry]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M SIServerRemoteRegistry]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M SIServerRemoteRegistryRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etDDEAppMgmt]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etDDEdsdmFastUserSwitchingCompatibility]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etlogonNetDDEdsdm]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etlogonW32Time]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\P lugPlayThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R emoteRegistryAdobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R emoteRegistryMSIServer]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R pcSsxmlprov]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R SVPTermService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R SVPUPSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S cheduleThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S cheduleThemesose]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S poolerNetlogonNetDDEdsdm]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T apiSrvLmHosts]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T ermServiceUMWdf]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSWZCSVCWmiApSrvEventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W 32TimeHTTPFilter]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W miApSrvEventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W ZCSVCMSIServer]
"ImagePath"=" srv"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\SYSTEM32\WDFMGR.EXE
.
************************************************** ************************
.
Completion time: 2009-06-28 0:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 18:42
ComboFix2.txt 2009-06-28 17:00

Pre-Run: 3,591,733,248 bytes free
Post-Run: 3,625,631,744 bytes free

530
---------------------------------------------------------------------------------------------------------
HJT log after combofix operation
---------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:31 AM, on 6/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ibbc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Archive
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeHidServ (AdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Application Layer Gateway Service ALGlanmanserverWmi (ALGlanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio AudioSrvRemoteAccess (AudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvScheduleThemesose (AudioSrvScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvUPSWZCSVC (AudioSrvUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! Web Scanner avast!lanmanserverWmiNetDDE (avast!lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager dmserverBITS (dmserverBITS) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcNtLmSsp (ERSvcNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcRemoteRegistryAdobeHidServ (ERSvcRemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Event Log EventlogDhcp (EventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: COM+ Event System EventSystemWZCSVC (EventSystemWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Server lanmanserverWmi (lanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Server lanmanserverWmi lanmanserverWmiNetDDE (lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess (LmHostsAudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry (LmHostsMSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry (MSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess (MSIServerRemoteRegistryRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE NetDDEAppMgmt (NetDDEAppMgmt) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility (NetDDEdsdmFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonNetDDEdsdm (NetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonW32Time (NetlogonW32Time) - Unknown owner - .exe (file missing)
O23 - Service: Plug and Play PlugPlayThemes (PlugPlayThemes) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryAdobeHidServ (RemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryMSIServer (RemoteRegistryMSIServer) - Unknown owner - .exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsxmlprov (RpcSsxmlprov) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPTermService (RSVPTermService) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPUPSWZCSVC (RSVPUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes (ScheduleThemes) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes ScheduleThemesose (ScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNetlogonNetDDEdsdm (SpoolerNetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Telephony TapiSrvLmHosts (TapiSrvLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Terminal Services TermServiceUMWdf (TermServiceUMWdf) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSThemes (UPSThemes) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC (UPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp (UPSWZCSVCWmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Time W32TimeHTTPFilter (W32TimeHTTPFilter) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvEventlogDhcp (WmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Wireless Zero Configuration WZCSVCMSIServer (WZCSVCMSIServer) - Unknown owner - .exe (file missing)

--
End of file - 8049 bytes
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 28-06-2009, 07:50 PM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 19
bir_25 Is a beginner here at D-A-L
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
Avast has been shutdown in the same manner with the same dialog box.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 28-06-2009, 08:34 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,273
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.


Please download DrWeb CureIt (Dr.Web CureIt! ? download free anti-virus! Cure viruses, Best free anti-virus scanner!) & save it to your desktop.

Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe and then click Start. Click OK in a pop-up window allowing Express Scan
o This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the Scan tab and uncheck Heuristic analysis and click OK
* Back at the main window, select the Complete scan button.
* Then click the Green Arrow Start Scanning button on the right and the scan will start.
o Click Yes to all if it asks if you want to cure/move any file(s).
* When the scan is done...
* In the Dr.Web CureIt menu on top left, click File and choose Save report list.
* Save the DrWeb.csv report to your Desktop.
* Exit Dr.Web Cureit.


* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot. Leave the Dr. Web CureIt log on the desktop.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan a pop-up window will appear, asking you to buy a full version. Simply close the pop-up window.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #15 (permalink)  
Old 28-06-2009, 09:28 PM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 19
bir_25 Is a beginner here at D-A-L
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
No only the link provided by you but all other links for Dr. Web CureIt take too much time to get loaded. So I'm unable to download it. Is the time taking natural??
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #16 (permalink)  
Old 28-06-2009, 09:51 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,273
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
No. It's most likely the infection blocking it.

Try this link: http://www.filedropper.com/jg9xy77d
The file is renamed for a reason.
Double click on downloaded file, and follow the manual from my previous reply.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #17 (permalink)  
Old 29-06-2009, 09:35 AM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 19
bir_25 Is a beginner here at D-A-L
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
The download doesn't seems to progress in dialog box of IE. I tried it with firefox but that wasn't of any use either.

P'haps the malware blocks the file on account of its size and extension as other exes are still downloadable. You can change both if you think so.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #18 (permalink)  
Old 29-06-2009, 04:08 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,273
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
I just sent you PM about the issue.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #19 (permalink)  
Old 29-06-2009, 11:40 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,273
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
This is the PM, I received from bir_25:
Quote:
Quote:
The screen doesn't goes beyond this.
http://i257.photobucket.com/albums/h...kan619/ree.jpg

Everytime each of my windows session lasts approx 1 mins after which i've to restart. So my replies are getting slowed down. This very PM has taken 3 restarts.

I think i'm haveing virut virus. combofix also warned me of possibility of this infection with a dialog box. This deadly virus gets into ones pc through p2p sharing. Exactly I was having my p2p shield of avast off and it got through while p2p sharing.
THIS WAS MY MISTAKE!!

I have tried to download a tool for this infection from symantec but the download seems to stop at 99%
Let's run Combofix again....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #20 (permalink)  
Old 30-06-2009, 07:36 AM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 19
bir_25 Is a beginner here at D-A-L
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
Combofix log
-------------------------------------------------------------------------------------------
ComboFix 09-06-29.04 - Administrator 06/30/2009 11:31.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126.16 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\clofghls.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 05:48 . 2009-06-30 05:48 -------- d-sh--w- C:\FOUND.000
2009-06-29 17:29 . 2009-06-29 17:29 -------- d-sh--w- C:\FOUND.051
2009-06-29 15:43 . 2009-06-29 15:43 -------- d-sh--w- C:\FOUND.050
2009-06-29 14:56 . 2009-06-29 14:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-29 14:56 . 2009-06-29 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 07:57 . 2009-06-29 07:57 -------- d-sh--w- C:\FOUND.049
2009-06-27 09:13 . 2009-06-27 09:13 3631375 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-26 16:33 . 2009-06-26 16:33 -------- d--h--w- c:\windows\$hf_mig$
2009-06-08 14:41 . 2009-06-08 14:41 -------- d-----w- c:\program files\Mario Forever Toolbar
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\program files\Winamp
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-05-31 17:36 . 2007-02-25 10:06 383238 ----a-w- c:\windows\system32\libmp3lame-0.dll
2009-05-31 17:36 . 2006-11-01 09:22 765952 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-31 17:36 . 2007-02-28 22:48 4762112 ----a-w- c:\windows\system32\NCMedia.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-28 07:50 . 2008-01-09 15:32 499712 ----a-w- c:\windows\system32\igfxtray.exe
2009-06-25 05:55 . 2008-05-16 10:32 60 ----a-w- c:\windows\wpd99.drv
2009-06-17 05:57 . 2009-05-27 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:57 . 2009-05-27 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 14:58 . 2009-05-28 06:44 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\98348586
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\18338594
2009-05-28 06:41 . 2009-05-28 06:41 -------- d-----w- c:\program files\Greatis
2009-05-27 19:07 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-27 18:21 . 2009-05-27 18:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 18:06 . 2009-05-25 18:06 -------- d-----w- c:\program files\Trend Micro
2009-05-18 16:58 . 2008-01-09 15:40 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 14:36 . 2009-05-12 14:36 -------- d-----w- c:\program files\PublicSoft
2009-05-12 08:43 . 2009-05-12 08:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fast Torrent
2009-05-08 08:49 . 2009-05-08 08:49 -------- d-----w- c:\program files\WinDjView
2009-05-07 15:46 . 2009-05-07 15:45 162816 ----a-w- c:\windows\system32\fmod.dll
2009-05-07 15:20 . 2009-05-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-07 15:11 . 2009-05-07 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-28 499712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-09-08 114688]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-04-24 132608]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"e:\\Program Files\\Rediff Bol\\RediffMessenger.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\hkcmd.exe"= c:\\WINDOWS\\system32\\hkcmd.exe
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThise.exe"=
"e:\\Program Files\\Mario Forever\\Mario Forever.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"=
"e:\\spybotsd162.exe"=
"c:\\WINDOWS\\system32\\CF12388.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ lhllpn.sys --> c:\windows\system32\drivers\lhllpn.sys [?]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [1/9/2008 9:10 PM 18004]
S2 AdobeHidServ;Adobe LM Service AdobeHidServ; srv --> srv [?]
S2 ALGlanmanserverWmi;Application Layer Gateway Service ALGlanmanserverWmi; srv --> srv [?]
S2 AudioSrvRemoteAccess;Windows Audio AudioSrvRemoteAccess; srv --> srv [?]
S2 AudioSrvScheduleThemesose;Windows Audio AudioSrvScheduleThemesose; srv --> srv [?]
S2 AudioSrvUPSWZCSVC;Windows Audio AudioSrvUPSWZCSVC; srv --> srv [?]
S2 avast!lanmanserverWmiNetDDE;avast! Web Scanner avast!lanmanserverWmiNetDDE; srv --> srv [?]
S2 dmadminSCardSvr;Logical Disk Manager Administrative Service dmadminSCardSvr; srv --> srv [?]
S2 dmserverBITS;Logical Disk Manager dmserverBITS; srv --> srv [?]
S2 ERSvcNtLmSsp;Error Reporting Service ERSvcNtLmSsp; srv --> srv [?]
S2 ERSvcRemoteRegistryAdobeHidServ;Error Reporting Service ERSvcRemoteRegistryAdobeHidServ; srv --> srv [?]
S2 EventlogDhcp;Event Log EventlogDhcp; srv --> srv [?]
S2 EventSystemWZCSVC;COM+ Event System EventSystemWZCSVC; srv --> srv [?]
S2 lanmanserverWmi;Server lanmanserverWmi; srv --> srv [?]
S2 lanmanserverWmiNetDDE;Server lanmanserverWmi lanmanserverWmiNetDDE; srv --> srv [?]
S2 LmHostsAudioSrvRemoteAccess;TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess; srv --> srv [?]
S2 LmHostsMSIServerRemoteRegistry;TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry; srv --> srv [?]
S2 MSIServerRemoteRegistry;Windows Installer MSIServerRemoteRegistry; srv --> srv [?]
S2 MSIServerRemoteRegistryRemoteAccess;Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess; srv --> srv [?]
S2 NetDDEAppMgmt;Network DDE NetDDEAppMgmt; srv --> srv [?]
S2 NetDDEdsdmFastUserSwitchingCompatibility;Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility; srv --> srv [?]
S2 NetlogonNetDDEdsdm;Net Logon NetlogonNetDDEdsdm; srv --> srv [?]
S2 NetlogonW32Time;Net Logon NetlogonW32Time; srv --> srv [?]
S2 PlugPlayThemes;Plug and Play PlugPlayThemes; srv --> srv [?]
S2 RemoteRegistryAdobeHidServ;Remote Registry RemoteRegistryAdobeHidServ; srv --> srv [?]
S2 RemoteRegistryMSIServer;Remote Registry RemoteRegistryMSIServer; srv --> srv [?]
S2 RpcSsxmlprov;Remote Procedure Call (RPC) RpcSsxmlprov; srv --> srv [?]
S2 RSVPTermService;QoS RSVP RSVPTermService; srv --> srv [?]
S2 RSVPUPSWZCSVC;QoS RSVP RSVPUPSWZCSVC; srv --> srv [?]
S2 ScheduleThemes;Schedule ScheduleThemes; srv --> srv [?]
S2 ScheduleThemesose;Schedule ScheduleThemes ScheduleThemesose; srv --> srv [?]
S2 SpoolerNetlogonNetDDEdsdm;Print Spooler SpoolerNetlogonNetDDEdsdm; srv --> srv [?]
S2 TapiSrvLmHosts;Telephony TapiSrvLmHosts; srv --> srv [?]
S2 TermServiceUMWdf;Terminal Services TermServiceUMWdf; srv --> srv [?]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [3/30/2009 2:47 PM 48896]
S3 regguard;RegGuard;c:\windows\system32\drivers\regg uard.sys [5/28/2009 12:14 PM 29584]
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 16:14]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = nnnnnhxxp://www.orissalinks.com/archive
IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyi0rjd6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Ehu&q=displacement+current+filety pe%3Aswf&btnG=Search&meta=
FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-30 11:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 8192 bytes

scan completed successfully
hidden files: 1

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A dobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A LGlanmanserverWmi]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvScheduleThemesose]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvUPSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\a vast!lanmanserverWmiNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d madminSCardSvr]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d mserverBITS]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E RSvcNtLmSsp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E RSvcRemoteRegistryAdobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventSystemWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\l anmanserverWmi]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\l anmanserverWmiNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\L mHostsAudioSrvRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\L mHostsMSIServerRemoteRegistry]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M SIServerRemoteRegistry]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M SIServerRemoteRegistryRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etDDEAppMgmt]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etDDEdsdmFastUserSwitchingCompatibility]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etlogonNetDDEdsdm]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etlogonW32Time]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\P lugPlayThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R emoteRegistryAdobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R emoteRegistryMSIServer]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R pcSsxmlprov]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R SVPTermService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R SVPUPSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S cheduleThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S cheduleThemesose]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S poolerNetlogonNetDDEdsdm]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T apiSrvLmHosts]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T ermServiceUMWdf]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSWZCSVCWmiApSrvEventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W 32TimeHTTPFilter]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W miApSrvEventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W ZCSVCMSIServer]
"ImagePath"=" srv"
.
Completion time: 2009-06-30 11:49
ComboFix-quarantined-files.txt 2009-06-30 06:19
ComboFix2.txt 2009-06-28 18:42

Pre-Run: 3,499,737,088 bytes free
Post-Run: 3,656,032,256 bytes free

274
-------------------------------------------------------------------------------------------
HJTlog after cfix operation
-------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:09 PM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cymgr.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\otlne.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe
C:\WINDOWS\system32\dwwin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = nnnnnhttp://www.orissalinks.com/archive
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD82BFDE-F7A3-44E7-9B0D-81EEA9F6F16D}: NameServer = 218.248.255.162 218.248.255.194
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeHidServ (AdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Application Layer Gateway Service ALGlanmanserverWmi (ALGlanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvRemoteAccess (AudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvScheduleThemesose (AudioSrvScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvUPSWZCSVC (AudioSrvUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: avast! Web Scanner avast!lanmanserverWmiNetDDE (avast!lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager dmserverBITS (dmserverBITS) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcNtLmSsp (ERSvcNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcRemoteRegistryAdobeHidServ (ERSvcRemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Event Log EventlogDhcp (EventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: COM+ Event System EventSystemWZCSVC (EventSystemWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Server lanmanserverWmi (lanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Server lanmanserverWmi lanmanserverWmiNetDDE (lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess (LmHostsAudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry (LmHostsMSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry (MSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess (MSIServerRemoteRegistryRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE NetDDEAppMgmt (NetDDEAppMgmt) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility (NetDDEdsdmFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonNetDDEdsdm (NetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonW32Time (NetlogonW32Time) - Unknown owner - .exe (file missing)
O23 - Service: Plug and Play PlugPlayThemes (PlugPlayThemes) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryAdobeHidServ (RemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryMSIServer (RemoteRegistryMSIServer) - Unknown owner - .exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsxmlprov (RpcSsxmlprov) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPTermService (RSVPTermService) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPUPSWZCSVC (RSVPUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes (ScheduleThemes) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes ScheduleThemesose (ScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNetlogonNetDDEdsdm (SpoolerNetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Telephony TapiSrvLmHosts (TapiSrvLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Terminal Services TermServiceUMWdf (TermServiceUMWdf) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSThemes (UPSThemes) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC (UPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp (UPSWZCSVCWmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Time W32TimeHTTPFilter (W32TimeHTTPFilter) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvEventlogDhcp (WmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Wireless Zero Configuration WZCSVCMSIServer (WZCSVCMSIServer) - Unknown owner - .exe (file missing)

--
End of file - 7831 bytes
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply
Page 2 of 4 1 2 34

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
win32:rootkit-gen - found by avast adrian.bowker Spyware, Adware, Viruses and HijackThis Logs 12 11-04-2009 05:11 PM
Win32:Rootkit-gen virus problem . Windows XP case lparnibowski Spyware, Adware, Viruses and HijackThis Logs 9 28-11-2008 08:53 PM
HELP! Win32:Rootkit-gen (Rtk) ?? mota_box Spyware, Adware, Viruses and HijackThis Logs 3 03-09-2008 11:39 PM
Need help removing Rootkit-gen and WIN32:Trojan(RESOLVED) saint_aubin Spyware, Adware, Viruses and HijackThis Logs 15 06-08-2008 03:14 AM
Persistent Big Hijack Problem salraphael56 Spyware, Adware, Viruses and HijackThis Logs 4 09-10-2005 06:40 PM


All times are GMT +1. The time now is 09:12 PM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav