Thread: My DSS log
View Single Post
Old 04-23-2007, 08:08 AM   #5 (permalink)
The Arto
Registered User
 
The Arto's Avatar
 
Join Date: Apr 2007
Posts: 29
OS: xp


My Combofix log
Thanks for the prompt reply Ried. Here's my combofix log. Now, I had to do it in safemode because it kept crashing in regular. I'll copy/paste and attach. If I need to do it in regular mode, I will keep trying. Spyguard is constantly going off though so I think it was cause problems.

"Owner" - 07-04-23 8:51:43 Service Pack 2 [SAFE MODE]
ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Owner\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\WINNT\DOBE~1
C:\qoobox\purity\C\WINNT\MCROSO~1.NET
C:\qoobox\purity\C\WINNT\YSTEM~1
C:\qoobox\purity\C\WINNT\DOBE~1\dvdplay.exe
C:\qoobox\purity\C\WINNT\DOBE~1\?dobe
C:\qoobox\purity\C\WINNT\YSTEM~1\n?pdb.exe


((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


2007-04-22 22:50 <DIR> d-------- C:\Deckard
2007-04-22 22:26 21,312 --a------ C:\WINNT\choice.exe
2007-04-22 22:26 <DIR> d-------- C:\ie-spyad
2007-04-22 22:21 <DIR> d-------- C:\Program Files\SpywareGuard
2007-04-22 22:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-22 20:44 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-04-22 19:59 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-04-22 19:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-22 19:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-22 18:50 60,928 --a------ C:\WINNT\system32\aochsz.dll
2007-04-21 10:17 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-20 07:01 2 --a------ C:\WINNT\system32\wnsapiicomsv32.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-23 08:48 -------- d-------- C:\Program Files\popup killer
2007-04-22 21:39 -------- d-------- C:\Program Files\winamp
2007-04-22 21:35 -------- d-------- C:\Program Files\quicktime
2007-04-22 21:29 -------- d-------- C:\Program Files\norton antivirus
2007-04-22 21:27 -------- d-------- C:\Program Files\messenger
2007-04-22 21:19 -------- d-------- C:\Program Files\google
2007-04-22 21:18 -------- d-------- C:\Program Files\dell aio printer a920
2007-04-22 19:19 -------- d-------- C:\Program Files\wildtangent
2007-04-22 19:15 -------- d-------- C:\Program Files\viewpoint
2007-04-21 21:18 -------- d--h----- C:\Program Files\installshield installation information
2007-04-19 12:24 -------- d-------- C:\Program Files\gerge
2007-04-14 15:10 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\u3
2007-03-28 17:32 -------- d-------- C:\Program Files\full tilt poker.net
2007-03-24 20:28 -------- d-------- C:\Program Files\partygaming
2007-03-17 08:43 292864 --a------ C:\WINNT\system32\winsrv.dll
2007-03-15 09:08 101438 --a------ C:\WINNT\b122.exe
2007-03-08 10:36 577536 --a------ C:\WINNT\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINNT\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINNT\system32\gdi32.dll
2007-03-08 08:47 1843584 --a------ C:\WINNT\system32\win32k.sys
2007-02-05 15:17 185344 --a------ C:\WINNT\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINNT\system32\uirlrffw.dll [x]
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{659CF94F-108F-6425-F24F-1AE33AE4FE9C} C:\WINNT\system32\aochsz.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll
{CC46F77B-FD92-46AC-ADDF-8B4CE70E0EE7} C:\WINNT\system32\vklnwaim.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"GWMDMMSG"="GWMDMMSG.exe"
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"GWMDMpi"="C:\\WINNT\\GWMDMpi.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Ltho"="\"C:\\WINNT\\DOBE~1\\dvdplay.exe\" -vt yazb"
"Pqdmwmrx"="C:\\WINNT\\?ystem\\n?pdb.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINNT\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DVD\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="The Weather Channel"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\THEWEA~1\\The Weather Channel.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updater"
"hkey"="HKLM"
"command"="C:\\Program Files\\iRiver\\iRiver Manager\\Updater\\Updater.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WebRebates0"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job
C:\WINNT\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 08:56:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-23 8:57:19
C:\ComboFix-quarantined-files.txt ... 07-04-23 08:57
Attached Files
File Type: txt ComboFix.txt (9.8 KB, 0 views)
The Arto is offline