Tech Support Forum - View Single Post

bzzkarat · 02-13-2007, 09:22 PM

Here's the combofix log.....should i delete the registry manually?

"BzzKarat" - 07-02-14 12:08:49 Service Pack 2
ComboFix 07-02-11.1.1 - Running from: "C:\Documents and Settings\BzzKarat\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-14 to 2007-02-14 ))))))))))))))))))))))))))))))))))

2007-02-13 23:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo!
2007-02-13 21:57 <DIR> d-------- C:\DOCUME~1\BzzKarat\Contacts
2007-02-13 21:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-02-13 13:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-02-12 00:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-11 11:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-02-11 00:25 <DIR> d-------- C:\Program Files\RFlow Collector
2007-02-05 18:13 98,356 --a------ C:\WINDOWS\system32\MSJTER32.DLL
2007-02-05 18:13 965,904 --a------ C:\WINDOWS\system32\MSJT3032.DLL
2007-02-05 18:13 92,208 --a------ C:\WINDOWS\system32\WING.DLL
2007-02-05 18:13 722,192 --a------ C:\WINDOWS\system32\VB40032.DLL
2007-02-05 18:13 59,504 --a------ C:\WINDOWS\system32\VBDB32.DLL
2007-02-05 18:13 398,416 --a------ C:\WINDOWS\system32\Vbrun300.DLL
2007-02-05 18:13 33,552 --a------ C:\WINDOWS\system32\MSJINT32.DLL
2007-02-05 18:13 309,520 --a------ C:\WINDOWS\system32\MSWNG300.DLL
2007-02-05 18:13 26,000 --a------ C:\WINDOWS\system32\CTL3D.DLL
2007-02-05 18:13 245,520 --a------ C:\WINDOWS\system32\MSRD2X32.DLL
2007-02-05 18:13 244,496 --a------ C:\WINDOWS\system32\VBAR2232.DLL
2007-02-05 18:13 188,960 --a------ C:\WINDOWS\system32\WINGDE.DLL
2007-02-05 18:13 133,904 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2007-02-05 18:13 133,392 --a------ C:\WINDOWS\system32\MFCO30.DLL
2007-02-05 18:13 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2007-02-05 18:13 108,032 --a------ C:\WINDOWS\system32\MFCUIA32.DLL

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-14 00:20 -------- d-------- C:\Program Files\bitcomet
2007-02-14 00:20 -------- d-------- C:\Program Files\athan
2007-02-13 23:31 -------- d-------- C:\Program Files\free download manager
2007-02-13 23:23 -------- d-------- C:\Program Files\yahoo!
2007-02-13 23:12 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\yahoo!
2007-02-13 23:06 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\avg7
2007-02-13 16:05 -------- d-------- C:\Program Files\rockwell software
2007-02-12 23:48 -------- d-------- C:\Program Files\Common Files\rockwell
2007-02-12 23:19 -------- d--h----- C:\Program Files\installshield installation information
2007-02-12 23:02 -------- d-------- C:\Program Files\backburner 2
2007-02-12 22:50 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\my games
2007-02-12 00:59 -------- d-------- C:\Program Files\grisoft
2007-02-11 16:13 -------- d-------- C:\Program Files\spywareblaster
2007-02-10 23:38 839936 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-10 23:38 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-10 23:38 18432 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-27 22:43 -------- d---s---- C:\DOCUME~1\BzzKarat\Application Data\microsoft
2007-01-10 23:39 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\sports interactive
2007-01-10 23:14 -------- d-------- C:\Program Files\Common Files\installshield
2007-01-09 22:54 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-01-09 22:54 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-09 22:54 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-08 20:19 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\olympus
2007-01-08 17:10 -------- d-------- C:\Program Files\olympus
2007-01-08 17:08 -------- d-------- C:\Program Files\pixela
2006-12-28 22:12 -------- d-------- C:\Program Files\k-lite codec pack
2006-12-18 09:53 2880 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2006-12-07 14:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"nwiz"="nwiz.exe /install"
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MOUSE"="C:\\WINDOWS\\System32\\Mousexp.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Gainward"="C:\\WINDOWS\\TBPanel.exe /A"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Athan"="C:\\Program Files\\Athan\\Athan.exe"
"HPWT myPrintMileage Agent"="C:\\Program Files\\Hewlett-Packard\\HP Business Inkjet 1000\\Toolbox\\mpm.exe"
"C-Media Mixer"="Mixer.exe /startup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{407e7e6d-af11-11da-96c3-0000e2551602}]
Shell\Auto\command I:\infrom.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45cef234-3248-11db-97b5-0000e2551602}]
Shell\Auto\command RavMonE.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45cef235-3248-11db-97b5-0000e2551602}]
Shell\Auto\command K:\RavMonE.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a6aaec76-2b52-11db-97ac-0000e2551602}]
Shell\Auto\command infrom.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6f0c17c-286a-11db-97a7-0000e2551602}]
Shell\Auto\command RavMonE.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-14 12:10:59
C:\ComboFix2.txt ... 07-02-14 11:56

02-13-2007, 09:22 PM	#7 (permalink)
bzzkarat Registered User Join Date: Nov 2006 Posts: 18 OS: XP	Here's the combofix log.....should i delete the registry manually? "BzzKarat" - 07-02-14 12:08:49 Service Pack 2 ComboFix 07-02-11.1.1 - Running from: "C:\Documents and Settings\BzzKarat\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2007-01-14 to 2007-02-14 )))))))))))))))))))))))))))))))))) 2007-02-13 23:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! 2007-02-13 21:57 <DIR> d-------- C:\DOCUME~1\BzzKarat\Contacts 2007-02-13 21:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2007-02-13 13:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-02-12 00:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-02-11 11:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-02-11 00:25 <DIR> d-------- C:\Program Files\RFlow Collector 2007-02-05 18:13 98,356 --a------ C:\WINDOWS\system32\MSJTER32.DLL 2007-02-05 18:13 965,904 --a------ C:\WINDOWS\system32\MSJT3032.DLL 2007-02-05 18:13 92,208 --a------ C:\WINDOWS\system32\WING.DLL 2007-02-05 18:13 722,192 --a------ C:\WINDOWS\system32\VB40032.DLL 2007-02-05 18:13 59,504 --a------ C:\WINDOWS\system32\VBDB32.DLL 2007-02-05 18:13 398,416 --a------ C:\WINDOWS\system32\Vbrun300.DLL 2007-02-05 18:13 33,552 --a------ C:\WINDOWS\system32\MSJINT32.DLL 2007-02-05 18:13 309,520 --a------ C:\WINDOWS\system32\MSWNG300.DLL 2007-02-05 18:13 26,000 --a------ C:\WINDOWS\system32\CTL3D.DLL 2007-02-05 18:13 245,520 --a------ C:\WINDOWS\system32\MSRD2X32.DLL 2007-02-05 18:13 244,496 --a------ C:\WINDOWS\system32\VBAR2232.DLL 2007-02-05 18:13 188,960 --a------ C:\WINDOWS\system32\WINGDE.DLL 2007-02-05 18:13 133,904 --a------ C:\WINDOWS\system32\MFCANS32.DLL 2007-02-05 18:13 133,392 --a------ C:\WINDOWS\system32\MFCO30.DLL 2007-02-05 18:13 12,800 --a------ C:\WINDOWS\system32\WING32.DLL 2007-02-05 18:13 108,032 --a------ C:\WINDOWS\system32\MFCUIA32.DLL (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-02-14 00:20 -------- d-------- C:\Program Files\bitcomet 2007-02-14 00:20 -------- d-------- C:\Program Files\athan 2007-02-13 23:31 -------- d-------- C:\Program Files\free download manager 2007-02-13 23:23 -------- d-------- C:\Program Files\yahoo! 2007-02-13 23:12 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\yahoo! 2007-02-13 23:06 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\avg7 2007-02-13 16:05 -------- d-------- C:\Program Files\rockwell software 2007-02-12 23:48 -------- d-------- C:\Program Files\Common Files\rockwell 2007-02-12 23:19 -------- d--h----- C:\Program Files\installshield installation information 2007-02-12 23:02 -------- d-------- C:\Program Files\backburner 2 2007-02-12 22:50 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\my games 2007-02-12 00:59 -------- d-------- C:\Program Files\grisoft 2007-02-11 16:13 -------- d-------- C:\Program Files\spywareblaster 2007-02-10 23:38 839936 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2007-02-10 23:38 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2007-02-10 23:38 18432 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys 2007-01-27 22:43 -------- d---s---- C:\DOCUME~1\BzzKarat\Application Data\microsoft 2007-01-10 23:39 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\sports interactive 2007-01-10 23:14 -------- d-------- C:\Program Files\Common Files\installshield 2007-01-09 22:54 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys 2007-01-09 22:54 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys 2007-01-09 22:54 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys 2007-01-08 20:19 -------- d-------- C:\DOCUME~1\BzzKarat\Application Data\olympus 2007-01-08 17:10 -------- d-------- C:\Program Files\olympus 2007-01-08 17:08 -------- d-------- C:\Program Files\pixela 2006-12-28 22:12 -------- d-------- C:\Program Files\k-lite codec pack 2006-12-18 09:53 2880 --ahs---- C:\WINDOWS\system32\kgygaavl.sys 2006-12-07 14:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "nwiz"="nwiz.exe /install" "BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\"" "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "MOUSE"="C:\\WINDOWS\\System32\\Mousexp.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "Gainward"="C:\\WINDOWS\\TBPanel.exe /A" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "Athan"="C:\\Program Files\\Athan\\Athan.exe" "HPWT myPrintMileage Agent"="C:\\Program Files\\Hewlett-Packard\\HP Business Inkjet 1000\\Toolbox\\mpm.exe" "C-Media Mixer"="Mixer.exe /startup" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"=dword:00000001 "DisableTaskMgr"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoAutoUpdate"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{407e7e6d-af11-11da-96c3-0000e2551602}] Shell\Auto\command I:\infrom.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45cef234-3248-11db-97b5-0000e2551602}] Shell\Auto\command RavMonE.exe e Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45cef235-3248-11db-97b5-0000e2551602}] Shell\Auto\command K:\RavMonE.exe e Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a6aaec76-2b52-11db-97ac-0000e2551602}] Shell\Auto\command infrom.exe Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6f0c17c-286a-11db-97a7-0000e2551602}] Shell\Auto\command RavMonE.exe e Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e ****************************************************************** catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-02-14 12:10:59 C:\ComboFix2.txt ... 07-02-14 11:56