|
Registered User
Join Date: Nov 2006
Posts: 21
OS: xp
|
Hi Iain - I am sorry I have taken so long to respond - partly an extremely busy schedule and partly because it has taken a good amount of time to do all the things you asked. Here are the logs:
Jerms - 06-12-01 11:55:49.57 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Jerms\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))
2006-11-30 13:08 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-30 08:36 <DIR> d-------- C:\Program Files\CleanUp!
2006-11-29 13:34 <DIR> d-------- C:\HJT
2006-11-28 10:08 <DIR> d-------- C:\WINDOWS\system32\Dell
2006-11-28 08:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-28 08:58 <DIR> d-------- C:\c73728d49eb7a2e29c25ae21666b6baf
2006-11-28 08:57 <DIR> d-------- C:\f2edc3c88727fce3440535
2006-11-27 12:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-27 12:07 <DIR> d-------- C:\d24b460bec1d525a09c9b9
2006-11-27 12:03 <DIR> d-------- C:\WINDOWS\system32\ODCTOOLS
2006-11-26 16:10 <DIR> d-------- C:\Program Files\PCPitstop
2006-11-26 10:45 <DIR> d-------- C:\Program Files\RegCure
2006-11-23 12:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-23 12:23 <DIR> d-------- C:\Program Files\Grisoft
2006-11-23 10:41 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-11-22 18:10 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-16 16:58 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-11-13 15:05 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-31 20:58 <DIR> d-------- C:\Program Files\BearShare Applications
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
Rootkit driver pe386 is present. A rootkit scan is required
2006-11-30 17:33 -------- d-------- C:\Program Files\World of Warcraft
2006-11-29 13:16 -------- d-------- C:\Program Files\Common Files
2006-11-28 12:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Hamachi
2006-11-28 10:08 -------- d-------- C:\Program Files\Dell
2006-11-23 10:41 -------- d-------- C:\Program Files\RegistryPatrol3.0
2006-11-18 20:22 -------- d-------- C:\Program Files\Warcraft III
2006-11-17 18:55 -------- d-------- C:\Program Files\Google Toolbar
2006-11-16 17:39 7438520 --a------ C:\WINDOWS\system32\mi2.exe
2006-11-16 17:37 379071 --a------ C:\WINDOWS\system32\mi1.exe
2006-11-16 16:56 2724 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-09 19:22 -------- d-------- C:\Program Files\Apple Software Update
2006-11-03 19:20 56 -r-hs---- C:\WINDOWS\system32\80020AEA00.sys
2006-11-03 19:19 61678 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JPR.{PB
2006-11-03 19:19 12358 --a------ C:\Documents and Settings\Jerms\Application Data\PFP120JCM.{PB
2006-11-03 19:19 -------- d-------- C:\Documents and Settings\Jerms\Application Data\COREL
2006-11-02 20:42 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-10-27 12:08 -------- d-------- C:\Program Files\XPMedic
2006-10-27 08:06 -------- d-------- C:\Program Files\AdwareAlert
2006-10-25 14:27 -------- d-------- C:\Program Files\Lavasoft
2006-10-25 14:27 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Lavasoft
2006-10-25 12:07 -------- d-------- C:\Program Files\Java
2006-10-24 11:57 1886 --a------ C:\WINDOWS\system32\coke.exe
2006-10-24 09:36 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-23 18:50 -------- d-------- C:\Program Files\MSN
2006-10-23 18:50 -------- d-------- C:\Documents and Settings\Jerms\Application Data\MSNInstaller
2006-10-23 08:30 -------- d-------- C:\Program Files\SpywareBot
2006-10-22 20:33 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-10-22 13:58 -------- d-------- C:\Documents and Settings\Jerms\Application Data\TrojanHunter
2006-10-22 13:57 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Help
2006-10-22 13:48 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Simply Super Software
2006-10-22 13:41 -------- d-------- C:\Program Files\Common Files\Download Manager
2006-10-22 13:00 -------- d---s---- C:\Documents and Settings\Jerms\Application Data\Microsoft
2006-10-14 22:22 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Corel Photo Album
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-11 13:07 252752 --a------ C:\WINDOWS\system32\odc.dll
2006-09-29 22:21 -------- d-------- C:\Program Files\X Password Generator
2006-09-29 20:46 10578 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-09-29 20:46 -------- d-------- C:\Program Files\Hamachi
2006-09-29 19:21 -------- d-------- C:\Documents and Settings\Jerms\Application Data\Macromedia
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv8"="c:\\windows\\system32\\_mzu_stonedrv8.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv8"="c:\\windows\\system32\\_mzu_stonedrv8.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 06-12-01 11:56:38.42
C:\ComboFix.txt ... 06-12-01 11:56
C:\ComboFix2.txt ... 06-11-29 21:02
Incident Status Location
Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyGlobalSearch
Adware:adware/commad Not disinfected Windows Registry
Adware:Adware/ActiveSearch Not disinfected C:\Program Files\SoftwareRevenue.org\2r_samba.exe[toolbar-w-google-r.dll]
Possible Virus. Not disinfected C:\sUBs\TSF\swreg.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20061022-201701.backup
Adware:Adware/ActiveSearch Not disinfected C:\WINDOWS\system32\mi1.exe[2r_samba.exe][toolbar-w-google-r.dll]
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:17 06-12-01
+ Scan result:
C:\RECYCLER\NPROTECT\00140176.vbs -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
Okay - the Gmer log could not be completed because I got a blue screen - stop error report with the code: 0x000008E, 0xc0000005, 0x0074006E, 0xF1839cf0, 0x00000000. (I don't think the rootkit thing likes me!)
When I booted up today I also got a Microsoft Windows error message saying that my system has recovered from a serious error and that the following files would be sent in the error report: C: DOCUME1\Jerms\Locals 1\Temp\WERb3b8.dir00\Minill2006-10.dmp, C:DOCUME 1\JermsLocals 1\Temp
WERb3b8.dir00\sysdata.xml. I don't know if any of that is useful but I thought I would let you know anyway.
I realize that I don't have a hijack this log to send so I will run one now and send it shortly.
Thanks
Cathy
|