Thread: Infected with Antivirus Master and others
View Single Post
Old 08-15-2008, 08:12 AM   #6 (permalink)
Faith
Registered User
 
Join Date: Nov 2004
Location: England
Posts: 147
OS: XP


Send a message via ICQ to Faith
Re: Infected with Antivirus Master and others
Thank you very much for the reply. I carried out your instructions and the new log is below:

ComboFix 08-08-14.03 - Emma 2008-08-15 14:57:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.532 [GMT 1:00]
Running from: C:\Documents and Settings\Emma\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Emma\Application Data\macromedia\Flash Player\#SharedObjects\DVC8C2LV\interclick.com
C:\Documents and Settings\Emma\Application Data\macromedia\Flash Player\#SharedObjects\DVC8C2LV\interclick.com\ud.sol
C:\Documents and Settings\Emma\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Emma\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\WINDOWS\system32\lmjsuhsy.ini
C:\WINDOWS\system32\NqqXIkkj.ini
C:\WINDOWS\system32\NqqXIkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-13 11:53 . 2008-05-01 15:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-10 21:00 . 2008-08-10 21:00 <DIR> d-------- C:\Program Files\Red Kawa
2008-08-10 21:00 . 2008-08-10 21:00 38 --a------ C:\WINDOWS\avisplitter.INI
2008-08-03 10:52 . 2008-08-03 10:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-02 15:13 . 2008-08-02 15:13 0 --a------ C:\WINDOWS\vpc32.INI
2008-08-02 14:04 . 2008-08-02 14:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-02 14:00 . 2008-08-02 14:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 13:24 . 2008-08-02 13:27 456 --a------ C:\WINDOWS\wininit.ini
2008-08-02 11:27 . 2008-08-01 08:13 120,320 --a------ C:\WINDOWS\system32\avm.cpl
2008-07-31 12:31 . 2008-07-31 12:47 27,648 --a------ C:\Unfair Business Practices of Debt Collection Firms Called to Account.doc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-08-15 13:53 --------- d-----w C:\Documents and Settings\Emma\Application Data\skypePM
2008-08-15 13:53 --------- d-----w C:\Documents and Settings\Emma\Application Data\Skype
2008-08-15 13:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-15 13:34 --------- d-----w C:\Documents and Settings\Emma\Application Data\uTorrent
2008-08-15 10:57 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-02 23:21 --------- d-----w C:\Program Files\CleanUp!
2008-08-02 13:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-31 09:03 --------- d-----w C:\Documents and Settings\Emma\Application Data\Joost
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-22 12:09 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2007-12-20 13:28 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 17:46 1460560]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-11-27 12:58 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="C:\WINDOWS\ATK0100\Hcontrol.exe" [2004-07-19 08:05 61440]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 06:51 184320]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 15:12 32768]
"VAIO Update 3"="C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-01-25 21:41 546936]
"Switcher.exe"="C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 13:11 176128]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 16:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 13:30 85184]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-17 01:05 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41 282624]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 16:52 240112]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 04:44 113136]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]
"EPSON Stylus C82 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" [2003-10-15 04:02 99840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"EPSON Stylus C82 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" [2003-10-15 04:02 99840]
"EPSON Stylus C46 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE" [2004-01-14 03:00 99840]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 19:43 69632 C:\WINDOWS\ALCMTR.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup1"="C:\WINDOWS\system32\advpack.dll" [2008-06-23 17:57 124928]
"wextract_cleanup0"="C:\WINDOWS\system32\advpack.dll" [2008-06-23 17:57 124928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\Emma\Start Menu\Programs\Startup\
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-05-15 19:13:10 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-09-23 16:24 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16644:TCP"= 16644:TCP:BitComet 16644 TCP
"16644:UDP"= 16644:UDP:BitComet 16644 UDP

R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 17:21]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2001-08-17 13:51]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 16:53]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 16:52]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 16:52]
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\Emma\LOCALS~1\Temp\DX9\SessionLauncher.exe []
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 16:53]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 16:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21e5a3ab-aaef-11dc-9852-00014af9ba33}]
\Shell\AutoRun\command - G:\PStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{572d9052-aef7-11dc-985a-00014af9ba33}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitComet - C:\Program Files\BitComet\BitComet.exe
HKLM-Run-RegistryMechanic - C:\Program Files\Registry Mechanic\RegMech.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Emma\Application Data\Mozilla\Firefox\Profiles\2vmt72y6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 15:01:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-08-15 15:09:44 - machine was rebooted [Emma]
ComboFix-quarantined-files.txt 2008-08-15 14:09:40

Pre-Run: 18,504,691,712 bytes free
Post-Run: 18,493,276,160 bytes free

176 --- E O F --- 2008-08-15 01:30:27
Faith is offline