Tech Support Forum - View Single Post

flame87 · 01-24-2008, 08:42 AM

ComboFix 08-01-23.2 - Owner 2008-01-24 0:42:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1107 [GMT 8:00]
Running from: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\internet.exe
C:\WINDOWS\system32\update.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-24 00:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 16:37 . 2008-01-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 21:23 . 2008-01-14 21:23 <DIR> d-------- C:\Deckard
2008-01-14 17:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 17:28 . 2008-01-14 18:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 17:28 . 2008-01-14 17:28 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 17:28 . 2008-01-14 17:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 17:28 . 2008-01-14 17:28 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-13 16:44 . 2008-01-13 16:44 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-12 13:10 . 2008-01-12 13:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-12 13:07 . 2008-01-12 13:07 86,144 --a------ C:\WINDOWS\system32\drivers\wmilibb.sys
2008-01-12 13:07 . 2008-01-24 00:47 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 08:38 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 10:40 --------- d-----w C:\Program Files\PowerISO
2008-01-14 10:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-14 10:39 --------- d-----w C:\Program Files\MagicISO
2008-01-14 10:37 --------- d-----w C:\Program Files\iTunes
2008-01-14 10:27 --------- d-----w C:\Program Files\Bonjour
2008-01-13 08:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 08:44 --------- d-----w C:\Program Files\Macromedia
2008-01-03 18:21 --------- d-----w C:\Program Files\New Folder
2007-12-17 16:04 --------- d-----w C:\Program Files\VideoLAN
2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-29 06:20 --------- d-----w C:\Program Files\LimeWire
2007-11-27 12:56 --------- d-----w C:\Program Files\BitComet
2007-11-20 13:10 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-04-20 16:39 1,568,211 ----a-w C:\Program Files\war3.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-07 10:32 23395368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-10-16 02:49 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00 191488]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"AME_CSA"="amecsa.cpl" [2003-01-30 11:46 757760 C:\WINDOWS\system32\AmeCSA.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-12 13:09 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 13:10 219136]

R1 wmilibb;wmilibb;C:\WINDOWS\system32\drivers\wmilibb.sys [2008-01-12 13:07]
R3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2002-10-28 12:17]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782efe-6793-11dc-9d5c-00c0a8a3a3b3}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 05:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 00:47:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-01-24 04:53
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/01/2008
Kaspersky Anti-Virus database records: 528211
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 132447
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:58:54

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\fla72E.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1C0EE078-AB9A-4842-A48A-641C2B0015B0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\wmilibb.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

Scan process completed.

Hmmmm, after turning off my Anti-Virus software and scanning with combofix an additional Internet Explorer Icon was created on my desktop and the system restore was turned off. both i deleted away the icon and turned off system restore right after that. Random Popups are still a problem here.

Thanks! :)

01-24-2008, 08:42 AM	#7 (permalink)
flame87 Registered User Join Date: Apr 2007 Posts: 47 OS: Windows XP	Re: Trojan Horse PSW.OnlineGames.IBA ComboFix 08-01-23.2 - Owner 2008-01-24 0:42:39.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1107 [GMT 8:00] Running from: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\internet.exe C:\WINDOWS\system32\update.exe C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 ))))))))))))))))))))))))))))))) . 2008-01-24 00:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-22 16:37 . 2008-01-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-14 21:23 . 2008-01-14 21:23 <DIR> d-------- C:\Deckard 2008-01-14 17:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-14 17:28 . 2008-01-14 18:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-14 17:28 . 2008-01-14 17:28 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-14 17:28 . 2008-01-14 17:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-14 17:28 . 2008-01-14 17:28 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-13 16:44 . 2008-01-13 16:44 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared 2008-01-12 13:10 . 2008-01-12 13:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2008-01-12 13:07 . 2008-01-12 13:07 86,144 --a------ C:\WINDOWS\system32\drivers\wmilibb.sys 2008-01-12 13:07 . 2008-01-24 00:47 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-22 08:38 --------- d-----w C:\Program Files\Lavasoft 2008-01-14 10:40 --------- d-----w C:\Program Files\PowerISO 2008-01-14 10:39 --------- d-----w C:\Program Files\MSN Messenger 2008-01-14 10:39 --------- d-----w C:\Program Files\MagicISO 2008-01-14 10:37 --------- d-----w C:\Program Files\iTunes 2008-01-14 10:27 --------- d-----w C:\Program Files\Bonjour 2008-01-13 08:44 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-13 08:44 --------- d-----w C:\Program Files\Macromedia 2008-01-03 18:21 --------- d-----w C:\Program Files\New Folder 2007-12-17 16:04 --------- d-----w C:\Program Files\VideoLAN 2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2007-11-29 06:20 --------- d-----w C:\Program Files\LimeWire 2007-11-27 12:56 --------- d-----w C:\Program Files\BitComet 2007-11-20 13:10 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll 2006-04-20 16:39 1,568,211 ----a-w C:\Program Files\war3.exe 2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll 2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-07 10:32 23395368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-10-16 02:49 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872] "Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00 191488] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112] "Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975] "AME_CSA"="amecsa.cpl" [2003-01-30 11:46 757760 C:\WINDOWS\system32\AmeCSA.cpl] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-12 13:09 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 13:10 219136] R1 wmilibb;wmilibb;C:\WINDOWS\system32\drivers\wmilibb.sys [2008-01-12 13:07] R3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2002-10-28 12:17] S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00] S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00] S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782efe-6793-11dc-9d5c-00c0a8a3a3b3}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2007-11-23 05:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-24 00:47:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT 2008-01-24 04:53 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 23/01/2008 Kaspersky Anti-Virus database records: 528211 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 132447 Number of viruses found: 1 Number of infected objects: 1 Number of suspicious objects: 0 Duration of the scan process: 01:58:54 Infected Object Name / Virus Name / Last Action C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cert8.db Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\flashgot.log Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\history.dat Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\key3.db Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\parent.lock Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\search.sqlite Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\fla72E.tmp Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner.ADMIN-CDB184AE0\ntuser.dat.LOG Object is locked skipped C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{1C0EE078-AB9A-4842-A48A-641C2B0015B0}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\drivers\wmilibb.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped G:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped Scan process completed. Hmmmm, after turning off my Anti-Virus software and scanning with combofix an additional Internet Explorer Icon was created on my desktop and the system restore was turned off. both i deleted away the icon and turned off system restore right after that. Random Popups are still a problem here. Thanks! :)