Thread: IE Pop-ups - Malware
View Single Post
Old 08-08-2008, 10:14 AM   #13 (permalink)
ferrarilover
Registered User
 
Join Date: Aug 2008
Posts: 10
OS: Win XP SP2


Re: IE Pop-ups - Malware
Hi there,
The following is the new log txt file:


ComboFix 08-08-08.02 - Ken Wong 2008-08-09 0:09:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT 8:00]
Running from: C:\Documents and Settings\Ken Wong\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ken Wong\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\7QyLIJJC.exe
C:\WINDOWS\system32\7QyLIJJC.exe.a_a
C:\WINDOWS\system32\j3I5TrWw.exe
C:\WINDOWS\system32\j3I5TrWw.exe.a_a
F:\Secret.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\7QyLIJJC.exe
C:\WINDOWS\system32\7QyLIJJC.exe.a_a
C:\WINDOWS\system32\j3I5TrWw.exe
C:\WINDOWS\system32\j3I5TrWw.exe.a_a

.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-06 11:15 . 2008-08-06 11:15 <DIR> d-------- C:\Backup
2008-08-05 17:51 . 2008-08-05 17:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 17:42 . 2008-08-05 17:42 <DIR> d-------- C:\Deckard
2008-08-05 17:27 . 2008-08-05 17:29 <DIR> d-------- C:\ie-spyad_zo
2008-08-05 17:19 . 2008-08-05 17:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-05 17:18 . 2008-08-05 17:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-05 15:08 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-05 15:07 . 2008-08-05 15:07 <DIR> d-------- C:\Program Files\Panda Security
2008-08-02 23:43 . 2008-08-02 23:51 <DIR> d-------- C:\Documents and Settings\Ken Wong\Application Data\HouseCall 6.6
2008-08-02 23:17 . 2008-08-04 09:03 <DIR> d-------- C:\Documents and Settings\Ken Wong\.housecall6.6
2008-08-02 22:02 . 2008-08-02 22:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-02 22:02 . 2003-03-19 05:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-08-02 21:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-02 21:55 . 2008-08-02 21:56 <DIR> d-------- C:\Program Files\Java
2008-08-02 21:55 . 2008-08-02 21:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-28 23:58 . 2008-07-28 23:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-28 23:58 . 2008-07-28 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 23:57 . 2008-07-28 23:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 13:54 . 2008-07-22 13:58 <DIR> d-------- C:\tmp
2008-07-15 16:29 . 2008-07-15 16:29 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-14 21:15 . 2008-07-14 21:15 <DIR> d-------- C:\Games
2008-07-10 10:14 . 2008-07-10 10:14 <DIR> d-------- C:\Documents and Settings\Ken Wong\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:26 --------- d-----w C:\Program Files\Valve
2008-08-02 15:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-02 10:20 --------- d-----w C:\Program Files\SopCast
2008-08-02 10:16 --------- d-----w C:\Program Files\a-squared Free
2008-07-31 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-22 04:22 --------- d-----w C:\Documents and Settings\Ken Wong\Application Data\AVG7
2008-05-16 03:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 21:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32 86016]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 19:44 610304]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 18:04 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-01 15:53 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-11 19:54 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-11 23:06 219136]

C:\Documents and Settings\Ken Wong\Start Menu\Programs\Startup\
qlock.lnk - C:\Program Files\Qlock\qlock.exe [2007-12-18 17:42:38 4158464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-11 19:54 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 20:01]
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 00:10:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-09 0:12:10
ComboFix-quarantined-files.txt 2008-08-08 16:11:56
ComboFix2.txt 2008-08-07 01:53:24

Pre-Run: 49,694,035,968 bytes free
Post-Run: 49,983,594,496 bytes free

126 --- E O F --- 2008-04-09 17:10:26
ferrarilover is offline