 |  |  |  |  |  |  |  |
Fun times with Windows Police Pro.
Thread Solved |
0
#21 Oct 20th, 2009
It won't run. It doesn't give me an error message or anything, it just doesn't do anything after I double click it :/.
0
#22 Oct 20th, 2009
•
•
•
•
Originally Posted by Asezat 
It won't run. It doesn't give me an error message or anything, it just doesn't do anything after I double click it :/.
type %userprofile%\desktop\FindWPP\RunThis.bat ENTER
-- See if you are now able to copy combofix to the desktop. Do that, if possible.
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#23 Oct 20th, 2009
The command prompt certainly is useful. I gotta learn a bit more about how to play with it, I think.
Microsoft Windows XP [Version 5.1.2600]
21/10/2009
02:02
FindWPP is running from C:\DOCUME~1\GREGRO~1
RUNNING PROCESSES
EXE KEY MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\pump.exe \"%1\" %*"
CHECKING SELECT POLICIES KEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
LOOKING FOR REPLACED FILES
Looking for cngaudit.dll
Looking for eventlog.dll
Looking for imm32.dll
Looking for logevent.dll
Looking for netlogon.dll
Looking for ntelogon.dll
Looking for qmgr.dll
Looking for rasauto.dll
Looking for scecli.dll
Looking for sceclt.dll
Looking for sfcfiles.dll
LOOKING FOR SUSPICIOUS FILES
SEARCH AND DESTROY KNOWN FILES
Looking for windows Police Pro.exe
No matches found.
Looking for Windows Antivirus Pro.exe
No matches found.
Looking for ~.exe
No matches found.
Looking for bennuar.old
No matches found.
Looking for bincd32.dat
No matches found.
Looking for braviax.exe
No matches found.
No matches found.
Looking for cru629.dat
No matches found.
No matches found.
Looking for dbsinit.exe
No matches found.
Looking for dddesot.dll
No matches found.
Looking for desot.exe
No matches found.
Looking for desote.exe
No matches found.
Looking for ppp3.dat
No matches found.
Looking for ppp4.dat
No matches found.
Looking for qcfbc.wbg
No matches found.
Looking for _scui.cpl
No matches found.
Looking for sysnet.dat
No matches found.
Looking for svchast.exe
No matches found.
Looking for svchasts.exe
No matches found.
Looking for wisdstr.exe
No matches found.
Looking for wispex.html
No matches found.
Looking for wiwow64.exe
No matches found.
EXE KEY STILL MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
SUSPECT REG KEYS
Nothing Found By This Tool!
CHECKING MBAM
No matches found.
ComboFix is on my desktop, too.
Microsoft Windows XP [Version 5.1.2600]
21/10/2009
02:02
FindWPP is running from C:\DOCUME~1\GREGRO~1
RUNNING PROCESSES
EXE KEY MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\pump.exe \"%1\" %*"
CHECKING SELECT POLICIES KEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
LOOKING FOR REPLACED FILES
Looking for cngaudit.dll
Looking for eventlog.dll
Looking for imm32.dll
Looking for logevent.dll
Looking for netlogon.dll
Looking for ntelogon.dll
Looking for qmgr.dll
Looking for rasauto.dll
Looking for scecli.dll
Looking for sceclt.dll
Looking for sfcfiles.dll
LOOKING FOR SUSPICIOUS FILES
SEARCH AND DESTROY KNOWN FILES
Looking for windows Police Pro.exe
No matches found.
Looking for Windows Antivirus Pro.exe
No matches found.
Looking for ~.exe
No matches found.
Looking for bennuar.old
No matches found.
Looking for bincd32.dat
No matches found.
Looking for braviax.exe
No matches found.
No matches found.
Looking for cru629.dat
No matches found.
No matches found.
Looking for dbsinit.exe
No matches found.
Looking for dddesot.dll
No matches found.
Looking for desot.exe
No matches found.
Looking for desote.exe
No matches found.
Looking for ppp3.dat
No matches found.
Looking for ppp4.dat
No matches found.
Looking for qcfbc.wbg
No matches found.
Looking for _scui.cpl
No matches found.
Looking for sysnet.dat
No matches found.
Looking for svchast.exe
No matches found.
Looking for svchasts.exe
No matches found.
Looking for wisdstr.exe
No matches found.
Looking for wispex.html
No matches found.
Looking for wiwow64.exe
No matches found.
EXE KEY STILL MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
SUSPECT REG KEYS
Nothing Found By This Tool!
CHECKING MBAM
No matches found.
ComboFix is on my desktop, too.
0
#24 Oct 20th, 2009
•
•
•
•
Originally Posted by Asezat
The command prompt certainly is useful. I gotta learn a bit more about how to play with it, I think.
That said, this is odd - that log looks as though my batch only partially ran properly - odd.
At least it was able to change this:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\pump.exe \"%1\" %*"
Back to what it is supposed to be:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
The rest is odd...
---- Try running Win32kDiag.exe again and see if same error.
If it won't run, try combofix below.
If it does run, post me the log.
•
•
•
•
Originally Posted by Asezat
ComboFix is on my desktop, too.
type %userprofile%\desktop\combo-fix.exe /KillAll ENTER
You may not be able to update it - no worries.
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#25 Oct 20th, 2009
Here's my Win32kDiag log:
Running from: C:\Documents and Settings\Greg Rolls\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Greg Rolls\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Cannot access: C:\WINDOWS\system32\plugie.dll
[1] 2009-10-15 07:02:22 655360 C:\WINDOWS\system32\plugie.dll ()
Cannot access: C:\WINDOWS\system32\pump.exe
[1] 2009-10-15 07:05:09 541696 C:\WINDOWS\system32\pump.exe ()
Finished!
ComboFix is currently running atm, it's just made me reboot because it found the rootkit, which can only be good!
Having said that.... apparently I don't have Microsoft's system restore kit or something installed, so it says it won't attempt the fix of "some serious infections". Hopefully that won't be a problem.
Running from: C:\Documents and Settings\Greg Rolls\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Greg Rolls\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Cannot access: C:\WINDOWS\system32\plugie.dll
[1] 2009-10-15 07:02:22 655360 C:\WINDOWS\system32\plugie.dll ()
Cannot access: C:\WINDOWS\system32\pump.exe
[1] 2009-10-15 07:05:09 541696 C:\WINDOWS\system32\pump.exe ()
Finished!
ComboFix is currently running atm, it's just made me reboot because it found the rootkit, which can only be good!
Having said that.... apparently I don't have Microsoft's system restore kit or something installed, so it says it won't attempt the fix of "some serious infections". Hopefully that won't be a problem.
0
#26 Oct 20th, 2009
•
•
•
•
Originally Posted by Asezat
ComboFix is currently running atm, it's just made me reboot because it found the rootkit, which can only be good!
Having said that.... apparently I don't have Microsoft's system restore kit or something installed, so it says it won't attempt the fix of "some serious infections". Hopefully that won't be a problem.
Actually, the Trinity Rescue Kit and Avira Tool operate much in the same way as the Recovery Console except TRK is Linux.
-- I realized why FindWPP didn't work properly - LOL - command.com prompt. I had a minor "brain cramp."
Let me know how combofix shakes out - keeping my fingers crossed it completes properly.....
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#27 Oct 20th, 2009
One ComboFix log:
ComboFix 09-10-19.04 - Greg Rolls 21/10/2009 2:57.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1554 [GMT 1:00]
Running from: c:\documents and settings\Greg Rolls\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1229 [VPS 090103-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Greg Rolls\Application Data\.#
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@3741A8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@3741D8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@374208.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@3741A8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@3741D8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@374208.###
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6C.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6O.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6P.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6S.manifest
c:\documents and settings\Greg Rolls\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Greg Rolls\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\program files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll
C:\temp.temp
c:\windows\isicawaj.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\0.3258360179300799.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\nuar.old
c:\windows\system32\plUGie.dll
c:\windows\system32\pump.exe
c:\windows\system32\skynet.dat
c:\windows\system32\wispex.html
c:\windows\wf3.dat
c:\windows\wf4.dat
C:\xcrashdump.dat
Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ANTIPOL
-------\Legacy_aawserviceAlerter
-------\Service_aawserviceAlerter
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.
2009-10-15 06:32 . 2009-10-08 10:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-15 06:32 . 2009-10-08 10:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-15 06:32 . 2009-10-08 10:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-15 06:32 . 2009-10-08 10:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-15 06:32 . 2009-10-02 13:19 1152470 ----a-w- c:\windows\UDB.zip
2009-10-15 06:32 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-10-15 06:29 . 2009-09-24 07:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-15 06:29 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-15 06:29 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-15 06:29 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-15 06:29 . 2009-10-21 02:09 -------- d-----w- c:\program files\Spyware Doctor
2009-10-15 06:29 . 2009-10-15 06:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-15 06:29 . 2009-10-15 06:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\PC Tools
2009-10-15 06:29 . 2009-10-15 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-15 06:29 . 2009-10-21 02:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 06:09 . 2009-10-15 06:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-15 06:03 . 2009-10-20 23:34 0 ----a-w- c:\windows\Ohamozu.bin
2009-10-15 06:03 . 2009-10-15 06:03 120 ----a-w- c:\windows\Sboqomatumoye.dat
2009-10-15 06:03 . 2009-10-15 06:03 -------- d-----w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
2009-10-15 06:01 . 2009-10-15 06:03 131731 ----a-w- c:\windows\system32\dbsinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 02:12 . 2005-04-30 11:27 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-10-21 02:10 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-21 02:10 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-21 01:50 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\DNA
2009-10-20 23:51 . 2009-04-03 17:16 -------- d-----w- c:\program files\DNA
2009-10-13 20:00 . 2005-07-06 22:17 -------- d-----w- c:\program files\World of Warcraft
2009-10-12 18:33 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\BitTorrent
2009-10-10 00:28 . 2005-05-15 13:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Skype
2009-10-06 13:45 . 2005-01-27 22:34 -------- d-----w- c:\program files\mIRC
2009-09-16 02:20 . 2009-10-15 06:29 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 22:05 . 2005-02-05 04:51 28160 ----a-w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Microsoft
2009-09-15 22:04 . 2009-09-15 22:03 -------- d-----w- c:\program files\Windows Live
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-15 22:02 . 2009-09-15 22:02 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-15 05:20 . 2009-10-15 06:29 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 01:12 . 2009-10-15 06:29 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 00:01 . 2009-10-15 06:29 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-08-31 17:32 . 2009-08-31 17:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Mra
2009-08-31 17:29 . 2009-08-31 17:29 -------- d-----w- c:\program files\Mail.Ru
2009-08-28 09:26 . 2009-08-28 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2002-11-19 15:01 . 2005-03-02 02:29 28672 ----a-w- c:\program files\opera\program\plugins\PlugDef.dll
2004-08-04 12:00 . 2004-08-04 12:00 165988 --sha-r- c:\windows\system32\ptdtaqc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]
[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"AIM"="c:\program files\AIM\aim.exe" [2004-08-10 61440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-08-25 23090984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-03 321344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-05-26 100056]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-02-23 144896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 473920]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-01-29 696422]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-08-31 7975608]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 58992]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"PtiuPbmd"="ptipbm.dll" - c:\windows\system32\ptipbm.dll [2003-01-15 24576]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-10-06 24576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-06-08 29696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-1-13 581632]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-22 118784]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wiplrax.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\KCeasy\\giFT\\giFTl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1134:TCP"= 1134:TCP:fwoyzic
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/10/2009 07:29 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/11/2008 21:33 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/11/2008 21:33 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/10/2009 07:32 112592]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [13/01/2005 16:33 15840]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/10/2009 07:29 358600]
S2 sekvhtb;Security System;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys --> c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys [?]
S3 rzwrcfbg;rzwrcfbg;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sekvhtb
.
Contents of the 'Scheduled Tasks' folder
2009-10-09 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Greg Rolls.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-08-30 11:20]
2009-10-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-01-13 12:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/broadband
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
LSP: c:\program files\Secure Surfing Engine\sselsp.dll
FF - ProfilePath - c:\documents and settings\Greg Rolls\Application Data\Mozilla\Firefox\Profiles\gzs7vvqp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Opera\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: XULRunner: {BA329704-D034-4EA0-8960-07CA256C9EA2} - c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-SIAPRO7 - c:\program files\Steganos Internet Anonym Pro 7\SIAPRO7.exe
HKLM-Run-Gtigu - c:\windows\isicawaj.dll
HKU-Default-RunOnce-SIAPRO7 - c:\program files\Steganos Internet Anonym Pro 7\SIAPRO7.exe
Notify-20a6ac88448 - c:\windows\System32\hal32.dll
Notify-__c0037439 - c:\windows\system32\__c0037439.dat
AddRemove-Warhammer Online: Age of Reckoning_is1 - c:\warhammer online - age of reckoning\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 03:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rzwrcfbg]
"ImagePath"="\??\c:\windows\system32\02.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sekvhtb]
"ServiceDll"="c:\windows\system32\ptdtaqc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(768)
c:\windows\wiplrax.dll
c:\program files\Secure Surfing Engine\sselsp.dll
- - - - - - - > 'explorer.exe'(4344)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\wiplrax.dll
c:\windows\system32\ctagent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\combo-fix\CF14267.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-21 3:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-21 02:26
Pre-Run: 8,806,871,040 bytes free
Post-Run: 9,052,086,272 bytes free
- - End Of File - - E4F8CE2968366562121878589EB55D56
The machine still doesn't seem right, though :/.
ComboFix 09-10-19.04 - Greg Rolls 21/10/2009 2:57.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1554 [GMT 1:00]
Running from: c:\documents and settings\Greg Rolls\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1229 [VPS 090103-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Greg Rolls\Application Data\.#
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@3741A8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@3741D8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@374208.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@3741A8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@3741D8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@374208.###
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6C.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6O.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6P.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6S.manifest
c:\documents and settings\Greg Rolls\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Greg Rolls\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\program files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll
C:\temp.temp
c:\windows\isicawaj.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\0.3258360179300799.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\nuar.old
c:\windows\system32\plUGie.dll
c:\windows\system32\pump.exe
c:\windows\system32\skynet.dat
c:\windows\system32\wispex.html
c:\windows\wf3.dat
c:\windows\wf4.dat
C:\xcrashdump.dat
Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ANTIPOL
-------\Legacy_aawserviceAlerter
-------\Service_aawserviceAlerter
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.
2009-10-15 06:32 . 2009-10-08 10:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-15 06:32 . 2009-10-08 10:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-15 06:32 . 2009-10-08 10:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-15 06:32 . 2009-10-08 10:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-15 06:32 . 2009-10-02 13:19 1152470 ----a-w- c:\windows\UDB.zip
2009-10-15 06:32 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-10-15 06:29 . 2009-09-24 07:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-15 06:29 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-15 06:29 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-15 06:29 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-15 06:29 . 2009-10-21 02:09 -------- d-----w- c:\program files\Spyware Doctor
2009-10-15 06:29 . 2009-10-15 06:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-15 06:29 . 2009-10-15 06:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\PC Tools
2009-10-15 06:29 . 2009-10-15 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-15 06:29 . 2009-10-21 02:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 06:09 . 2009-10-15 06:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-15 06:03 . 2009-10-20 23:34 0 ----a-w- c:\windows\Ohamozu.bin
2009-10-15 06:03 . 2009-10-15 06:03 120 ----a-w- c:\windows\Sboqomatumoye.dat
2009-10-15 06:03 . 2009-10-15 06:03 -------- d-----w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
2009-10-15 06:01 . 2009-10-15 06:03 131731 ----a-w- c:\windows\system32\dbsinit.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 02:12 . 2005-04-30 11:27 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-10-21 02:10 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-21 02:10 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-21 01:50 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\DNA
2009-10-20 23:51 . 2009-04-03 17:16 -------- d-----w- c:\program files\DNA
2009-10-13 20:00 . 2005-07-06 22:17 -------- d-----w- c:\program files\World of Warcraft
2009-10-12 18:33 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\BitTorrent
2009-10-10 00:28 . 2005-05-15 13:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Skype
2009-10-06 13:45 . 2005-01-27 22:34 -------- d-----w- c:\program files\mIRC
2009-09-16 02:20 . 2009-10-15 06:29 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 22:05 . 2005-02-05 04:51 28160 ----a-w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Microsoft
2009-09-15 22:04 . 2009-09-15 22:03 -------- d-----w- c:\program files\Windows Live
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-15 22:02 . 2009-09-15 22:02 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-15 05:20 . 2009-10-15 06:29 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 01:12 . 2009-10-15 06:29 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 00:01 . 2009-10-15 06:29 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-08-31 17:32 . 2009-08-31 17:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Mra
2009-08-31 17:29 . 2009-08-31 17:29 -------- d-----w- c:\program files\Mail.Ru
2009-08-28 09:26 . 2009-08-28 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2002-11-19 15:01 . 2005-03-02 02:29 28672 ----a-w- c:\program files\opera\program\plugins\PlugDef.dll
2004-08-04 12:00 . 2004-08-04 12:00 165988 --sha-r- c:\windows\system32\ptdtaqc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]
[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"AIM"="c:\program files\AIM\aim.exe" [2004-08-10 61440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-08-25 23090984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-03 321344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-05-26 100056]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-02-23 144896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 473920]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-01-29 696422]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-08-31 7975608]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 58992]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"PtiuPbmd"="ptipbm.dll" - c:\windows\system32\ptipbm.dll [2003-01-15 24576]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-10-06 24576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-06-08 29696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-1-13 581632]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-22 118784]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wiplrax.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\KCeasy\\giFT\\giFTl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1134:TCP"= 1134:TCP:fwoyzic
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/10/2009 07:29 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/11/2008 21:33 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/11/2008 21:33 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/10/2009 07:32 112592]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [13/01/2005 16:33 15840]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/10/2009 07:29 358600]
S2 sekvhtb;Security System;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys --> c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys [?]
S3 rzwrcfbg;rzwrcfbg;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sekvhtb
.
Contents of the 'Scheduled Tasks' folder
2009-10-09 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Greg Rolls.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-08-30 11:20]
2009-10-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-01-13 12:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/broadband
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
LSP: c:\program files\Secure Surfing Engine\sselsp.dll
FF - ProfilePath - c:\documents and settings\Greg Rolls\Application Data\Mozilla\Firefox\Profiles\gzs7vvqp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Opera\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: XULRunner: {BA329704-D034-4EA0-8960-07CA256C9EA2} - c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-SIAPRO7 - c:\program files\Steganos Internet Anonym Pro 7\SIAPRO7.exe
HKLM-Run-Gtigu - c:\windows\isicawaj.dll
HKU-Default-RunOnce-SIAPRO7 - c:\program files\Steganos Internet Anonym Pro 7\SIAPRO7.exe
Notify-20a6ac88448 - c:\windows\System32\hal32.dll
Notify-__c0037439 - c:\windows\system32\__c0037439.dat
AddRemove-Warhammer Online: Age of Reckoning_is1 - c:\warhammer online - age of reckoning\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 03:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rzwrcfbg]
"ImagePath"="\??\c:\windows\system32\02.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sekvhtb]
"ServiceDll"="c:\windows\system32\ptdtaqc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(768)
c:\windows\wiplrax.dll
c:\program files\Secure Surfing Engine\sselsp.dll
- - - - - - - > 'explorer.exe'(4344)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\wiplrax.dll
c:\windows\system32\ctagent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\combo-fix\CF14267.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-21 3:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-21 02:26
Pre-Run: 8,806,871,040 bytes free
Post-Run: 9,052,086,272 bytes free
- - End Of File - - E4F8CE2968366562121878589EB55D56
The machine still doesn't seem right, though :/.
0
#28 Oct 21st, 2009
•
•
•
•
Originally Posted by Asezat
One ComboFix log:
The machine still doesn't seem right, though :/.
But - you are starting to make good progress!
-- Let's restart eventlog.
Command prompt: type sc config "eventlog" start= auto ENTER
Don't reboot - just leave it for now.
-- Are you able to now download programs to the ill compy?
If so, please do this:
--- Download and run MBAM as per Step #8 in the linky below:
http://www.daniweb.com/forums/thread134865.html
Make sure to remove all it finds and post me the log.
THEN:
--- DELETE your current copy of combofix.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/comb...o-use-combofix
You should not need to rename it this time and it should be able to install Recovery Console.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!
Post me that log as well and we'll see where that leaves us.
Cheers
PP
Last edited by PhilliePhan; Oct 21st, 2009 at 1:41 am. Reason: The Usual. . . .
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#29 Oct 21st, 2009
Ok, I've restarted eventlog. But I've got a problem. Currently I'm using the same cable modem for internet on both the laptop and the ill tower PC, just switching the cables and rebooting the modem. At the moment, though, it doesn't want to work and give me internet on the tower. I've got a suspicion that I'll have to reboot for it to work.
I haven't done anything yet, haven't restarted. I could download MBAM on this laptop and transfer it via flash drive, I guess, but I'll just leave the tower ticking over for now.
I haven't done anything yet, haven't restarted. I could download MBAM on this laptop and transfer it via flash drive, I guess, but I'll just leave the tower ticking over for now.
0
#30 Oct 21st, 2009
•
•
•
•
Originally Posted by Asezat
I haven't done anything yet, haven't restarted. I could download MBAM on this laptop and transfer it via flash drive, I guess, but I'll just leave the tower ticking over for now.
Be sure to have it remove all it finds.
Then, Reboot.
Then see if you can access internet and DL a fresh combofix on ill compy and install recovery console and run combofix.
If no joy, then we'll install recovery console manually. No worries.
How are you holding up? Not too frustrated, I hope....
I will say this - If you have your Windows disk, I would still recommend a reformat after we clean the machine and you are able to pull your important data off somewhat safely. We can probably get it back and running in pretty good shape, but infestations such as this one can leave a system a bit unstable and you can never really trust that the machine is secure.
I do enjoy the challenge posed by a particularly nasty piece of malware, but if it were my machine, that is what I'd do........
Post me that MBAM log and let me know how you fare with the rest.
I'll be home in about 4 hours to check back in.
PP
Last edited by PhilliePhan; Oct 21st, 2009 at 4:43 pm. Reason: Nothing Important
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
 |
Similar Threads
- Windows Police Pro - Can't run MalwareBytes (Viruses, Spyware and other Nasties)
- Need Help - Windows Police Pro?? Totally Locked Up. (Viruses, Spyware and other Nasties)
- Windows Police Pro and Desote.exe (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Infected Computer, Please help.
- Next Thread: Control Panel not working
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fancheckvirus gaming gtaiv gumblar halloween herss.exe hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel patch phishing police policeprovirusmba-mblockedinternetaccess privacy pro problem redirect redirecting reliability report research risk samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
