Thread: Trojan Loosky, First Hi-jack-this user.
View Single Post
Old 10-03-2007, 03:24 PM   #3 (permalink)
Evilcookie
Registered User
 
Join Date: Jun 2006
Posts: 21
OS: Xp


Re: Trojan Loosky, First Hi-jack-this user.
I could not upload 3 notepad files, so I uploaded 2 and copy & past 2 here.
Second one is Active Scan.

ComboFix 07-10-03.8 - Ali 2007-10-03 14:35:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1083 [GMT -7:00]
Running from: C:\Documents and Settings\TEMP\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt

.
((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-03 14:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 22:42 <DIR> d-------- C:\Documents and Settings\***\Application Data\Real
2007-10-02 20:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-02 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-02 19:01 2,126 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-02 19:00 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-02 19:00 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-02 19:00 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-02 19:00 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-02 19:00 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-02 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-02 17:23 <DIR> d-------- C:\Deckard
2007-09-28 17:40 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Xfire
2007-09-28 15:03 <DIR> d-------- C:\Program Files\Flagship Studios
2007-09-26 07:30 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Download Manager
2007-09-25 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-09-25 15:21 <DIR> d-------- C:\Program Files\Microsoft Games
2007-09-17 22:09 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-17 22:09 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-09-17 22:09 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-09-15 02:21 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-09-15 02:21 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-09-15 02:20 <DIR> d-------- C:\Program Files\Windows Media Components
2007-09-03 07:42 674,600 --a------ C:\WINDOWS\system32\pbsvc(2).exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 14:28 --------- d-------- C:\Program Files\Warcraft III
2007-10-03 09:51 --------- d-------- C:\Program Files\World of Warcraft
2007-10-02 22:51 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-02 22:49 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-10-02 22:35 674600 --a------ C:\WINDOWS\system32\pbsvc.exe
2007-10-02 22:35 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-10-02 22:35 22328 --a------ C:\Documents and Settings\TEMP\Application Data\PnkBstrK.sys
2007-10-02 19:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 02:31 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-02 02:30 --------- d-------- C:\Program Files\Fraps
2007-09-28 17:57 --------- d---s---- C:\Program Files\Xfire
2007-09-28 17:30 --------- d-------- C:\Program Files\LimeWire
2007-09-28 17:28 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-28 17:26 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-28 17:26 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-09-28 15:00 --------- d-------- C:\Program Files\QuickTime
2007-09-28 14:57 --------- d-------- C:\Program Files\Diablo II
2007-09-27 17:07 --------- d-------- C:\Documents and Settings\TEMP\Application Data\OpenOffice.org2
2007-09-26 17:58 --------- d-------- C:\Program Files\XoftSpySE
2007-09-24 12:34 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-21 12:28 --------- d-------- C:\Documents and Settings\TEMP\Application Data\LimeWire
2007-09-04 00:05 --------- d-------- C:\Program Files\Project64 1.6
2007-09-02 00:35 --------- d-------- C:\Documents and Settings\TEMP\Application Data\Viewpoint
2007-09-01 15:36 --------- d-------- C:\Program Files\Viewpoint
2007-09-01 15:36 --------- d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-01 15:34 --------- d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-08-31 04:14 --------- d-------- C:\Program Files\Steam
2007-08-27 23:50 --------- d-------- C:\Program Files\The Sir. Community
2007-08-27 23:49 --------- d-------- C:\Program Files\BitTorrent
2007-08-27 23:46 --------- d-------- C:\Documents and Settings\TEMP\Application Data\DMCache
2007-08-27 21:28 --------- d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2007-08-27 21:24 --------- d-------- C:\Documents and Settings\TEMP\Application Data\Leadertech
2007-08-27 21:23 --------- d-------- C:\Program Files\epson
2007-08-27 21:22 --------- d-------- C:\Program Files\ArcSoft
2007-08-25 03:01 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-24 20:15 36864 --a------ C:\WINDOWS\system32\dxinputdll.dll
2007-08-24 20:15 --------- d-------- C:\Documents and Settings\TEMP\Application Data\KALiNKOsoft
2007-08-12 13:22 --------- d-------- C:\Program Files\Logitech
2007-08-12 13:22 --------- d-------- C:\Program Files\Common Files\Logitech
2007-08-09 14:25 --------- d-------- C:\Documents and Settings\TEMP\Application Data\teamspeak2
2007-08-07 23:13 --------- d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-08-07 07:33 --------- d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-08-07 01:20 --------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-12 00:12 81920 --a------ C:\WINDOWS\system32\frapsvid.dll
2007-07-04 22:54 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-04 22:54 249856 --------- C:\WINDOWS\Setup1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotplug"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe" [2005-05-05 21:10]
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-05-18 15:44]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 11:11]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-11-18 11:16]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-07-16 02:09]
"nwiz"="nwiz.exe" [2005-07-16 02:09 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-07-16 02:09]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 01:51]
"Launch Ai Booster"="C:\Program Files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 15:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-11 16:14]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" [2004-09-23 14:41]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-02 19:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"EPSON Stylus CX6000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.exe" [2006-10-18 04:01]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-09-12 15:24:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 12:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^TEMP^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\TEMP\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\DRIVERS\SiSRaid2.sys
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe"
R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 cdspacex;cdspacex;C:\WINDOWS\system32\DRIVERS\CDSPACEX.sys
S3 Dua1;Dua1;\??\C:\Documents and Settings\Ali\Desktop\Duel Engine\DualEngi.sys
S3 geebers12;geebers12;\??\C:\Documents and Settings\TEMP\Desktop\Sago's Hack Pack .38 III\Xterminator.sys
S3 kaspersky1;kaspersky1;\??\C:\Documents and Settings\TEMP\Desktop\s Hack Pack II\Sago's Hack Pack II\kaspersky.sys
S3 KIKIDRIVER;KIKIDRIVER;\??\C:\Documents and Settings\TEMP\Desktop\Kiki_Engine_1.41__Unpacked_\Kiki Engine 1.41 [Unpacked]\kiki.sys
S3 saruenGang;saruenGang;\??\C:\Documents and Settings\Ali\Desktop\saruengang103\saruenGang.sys
S3 sejt1;sejt1;\??\C:\AkumaEngine33\Applications\sejt.sys
S3 spuce1;spuce1;\??\C:\Documents and Settings\TEMP\Desktop\Spuc3ngine\Spuc3nginef\spuce.sys
S3 TSHAK3T1;TSHAK3T1;\??\C:\Documents and Settings\TEMP\Desktop\Revolution_Engine_3.3\Revolution Engine 3.3\spuce.sys
S3 TwoRabts;Two Rabbits Live Bus;C:\WINDOWS\system32\DRIVERS\TwoRabts.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 uzeil1;uzeil1;\??\C:\Documents and Settings\TEMP\Desktop\Mini_Engine\Mini Engine\Mini Engine\uzeil.sys
S3 zenos1;zenos1;\??\C:\Documents and Settings\Ali\Desktop\ZEnos\zenos.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-29 22:03:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-03 20:29:21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D8798ACA-0D7E-4C58-BE6A-B9613ACB5DE9}.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 14:38:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

.
Completion time: 2007-10-03 14:39:28
C:\ComboFix-quarantined-files.txt ... 2007-10-03 14:38
.
--- E O F ---



SmitFraudFix v2.235

Scan done at 15:13:32.84, Wed 10/03/2007
Run from C:\Documents and Settings\TEMP\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\TEMP


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\TEMP\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TEMP\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G USB Network Adapter
DNS Server Search Order: 68.237.161.12
DNS Server Search Order: 71.243.0.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A0AEA807-1A32-49F2-972E-50E994A7CEBE}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A0AEA807-1A32-49F2-972E-50E994A7CEBE}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A0AEA807-1A32-49F2-972E-50E994A7CEBE}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.237.161.12 71.243.0.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:47 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 80.69.94.166 gameguard.mapleglobal.com
O1 - Hosts: 80.69.94.166 63.251.217.184
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Hotplug] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S1A1.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1168700121033
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168700109924
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.2.1.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7148 bytes

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.overture.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.zedo.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.atwola.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rpia0afj.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ali\Cookies\ali@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ali\Cookies\ali@atdmt[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Ali\Cookies\ali@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ali\Cookies\ali@mediaplex[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ali\Cookies\ali@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ali\Cookies\ali@zedo[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\5jgriron.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\5jgriron.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@adrevolver[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@atdmt[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@fastclick[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@media.adrevolver[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\TEMP\Cookies\ali@tribalfusion[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\TEMP\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\TEMP\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\TEMP\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\TEMP\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\TEMP\Desktop\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\system32\actskn45.ocx
Attached Files
File Type: txt log.txt (12.8 KB, 1 views)
File Type: txt rapport.txt (3.8 KB, 1 views)
Last edited by Ried; 10-03-2007 at 05:00 PM.
Evilcookie is offline