Tech Support Forum - View Single Post

JSealy00 · 08-03-2006, 04:44 PM

GMER:
---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{6677E6F8-1F7A-4749-80D5-71EC4AA2A145}

---- EOF - GMER 1.0.10 ----

COMBOFIX.EXE
Start Time= Thu 08/03/2006 17:42:38.21
Running from: C:\Documents and Settings\John\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-03 17:02:00 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
2006-08-02 19:01:40 5629 ( A.... ) "C:\Program Files\hijackthis.log"
2006-07-29 22:33:52 ( .D... ) "C:\Program Files\Mozilla Thunderbird"
2006-07-19 17:54:38 ( .D... ) "C:\Documents and Settings\John\Application Data\ActiveState"
2006-07-12 20:00:52 12999 ( A.... ) "C:\Documents and Settings\John\Application Data\Comma Separated Values (Windows).CAL"
2006-06-30 08:09:32 ( .D... ) "C:\Program Files\iTunes"
2006-06-25 14:00:18 ( .D... ) "C:\Program Files\Microsoft Works"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-14 19:59:12 ( .D... ) "C:\Program Files\Picasa2"
2006-06-06 20:49:18 745531 ( A...R ) "C:\WINDOWS\gmer.exe"
2006-06-06 18

26 121588 ( A.... ) "C:\Documents and Settings\John\Application Data\Cosmos Prefs"
2006-05-26 14:54:56 25 ( ...H. ) "C:\WINDOWS\sysmf4.dll"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-04-06 15:53:02 218112 ( A.... ) "C:\Program Files\HijackThis.exe"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-08-03 17:01 745,531 C:\WINDOWS\gmer.exe
2006-08-03 17:01 528,446 C:\WINDOWS\gmer.dll
2006-08-02 18:11 11,776 C:\WINDOWS\system32\ZPORT4AS.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"CTHelper"="CTHELPER.EXE"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1148152798.job

Completion time: Thu 08/03/2006 17:42:52.57
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-03.174238.txt

08-03-2006, 04:44 PM	#7 (permalink)
JSealy00 Registered User Join Date: Apr 2006 Posts: 16 OS: WIN XP	GMER: ---- Registry - GMER 1.0.10 ---- Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0 ---- Files - GMER 1.0.10 ---- File C:\System Volume Information\MountPointManagerRemoteDatabase File C:\System Volume Information\tracking.log File C:\System Volume Information\_restore{6677E6F8-1F7A-4749-80D5-71EC4AA2A145} ---- EOF - GMER 1.0.10 ---- COMBOFIX.EXE Start Time= Thu 08/03/2006 17:42:38.21 Running from: C:\Documents and Settings\John\Desktop QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-03 17:02:00 528446 ( A.... ) "C:\WINDOWS\gmer.dll" 2006-08-02 19:01:40 5629 ( A.... ) "C:\Program Files\hijackthis.log" 2006-07-29 22:33:52 ( .D... ) "C:\Program Files\Mozilla Thunderbird" 2006-07-19 17:54:38 ( .D... ) "C:\Documents and Settings\John\Application Data\ActiveState" 2006-07-12 20:00:52 12999 ( A.... ) "C:\Documents and Settings\John\Application Data\Comma Separated Values (Windows).CAL" 2006-06-30 08:09:32 ( .D... ) "C:\Program Files\iTunes" 2006-06-25 14:00:18 ( .D... ) "C:\Program Files\Microsoft Works" 2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll" 2006-06-14 19:59:12 ( .D... ) "C:\Program Files\Picasa2" 2006-06-06 20:49:18 745531 ( A...R ) "C:\WINDOWS\gmer.exe" 2006-06-06 1826 121588 ( A.... ) "C:\Documents and Settings\John\Application Data\Cosmos Prefs" 2006-05-26 14:54:56 25 ( ...H. ) "C:\WINDOWS\sysmf4.dll" 2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll" 2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll" 2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll" 2006-04-06 15:53:02 218112 ( A.... ) "C:\Program Files\HijackThis.exe" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-08-03 17:01 745,531 C:\WINDOWS\gmer.exe 2006-08-03 17:01 528,446 C:\WINDOWS\gmer.dll 2006-08-02 18:11 11,776 C:\WINDOWS\system32\ZPORT4AS.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "CTHelper"="CTHELPER.EXE" "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Steam"="" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=hex:91,00,00,00 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=hex:91,00,00,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system DisableRegistryTools REG_DWORD 0 (0x0) Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1148152798.job Completion time: Thu 08/03/2006 17:42:52.57 ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt ComboFix.2006-08-03.174238.txt