|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
05-13-2008, 08:55 AM
|
#1 (permalink) |
|
Registered User
Join Date: May 2008
Posts: 2
OS: Win XP
|
Explorer.exe crashes on Startup - Rootkit
This problem started occurring 3 days ago. I'm running Windows XP in my laptop and problems started when I opened an email that I believed to be from a friend… It was not. Computer crashed immediatelly and when I restarted it I could see the dimension of the damage:
- takes a while to login and as soon as the wallpaper apears, explorer.exe crashes ("data Execution Prevention - To help to protect your computer, Windows has closed this program"); - Message: "Explorer.exe - Application Error: The exception unknown software exception (0x0000409) occurred in the application at location 0x77420d7d." - Taksmanager and all anti-virus and anti-rootkit programs have the simalar behaviour; - On the screen, just wallpaper and nothing else. - I wasn’t’ able to start windows in safe mode - I can't run Deckard's System Scanner (dss.exe) After reinstalling Windows I started to have access to the safe mode, but am trapped only with DOS command lines (cmd.exe). Finnally I discovered that gmer.exe works, and I'll maybe be able to run something that doesn't crash from there (I have no idea how to fix things with HijackThis, as I can't get windows to work - so I'll need some help to do it via DOS, or with some other trick!). Getting very angry now!!!! I run Hijackthis and ComboFix (as I know that this is common praxis), and results are shown below: Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:41:37, on 11/05/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\cmd.exe E:\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Namo SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137524179640 O16 - DPF: {8FACB588-4A4B-46C1-807B-1F08D0AC7592} (eTours Control) - http://www.360etours.net/activex/eTours3-4-0-01.ocx O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.co...p/DigWXMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7400 bytes ComboFix ComboFix 08-05-07.1 - Mario 2008-05-11 15:51:56.4 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.950 [GMT 1:00] Running from: E:\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 ))))))))))))))))))))))))))))))) . 2008-05-11 15:22 . 2007-08-14 08:12 5,760 --------- C:\WINDOWS\system32\33.tmp 2008-05-11 15:07 . 2007-08-14 08:12 5,760 --------- C:\WINDOWS\system32\32.tmp 2008-05-10 15:10 . 2008-05-11 04:09 1,333,227,520 --a------ C:\WINDOWS\MEMORY.DMP 2008-05-10 14:53 . 2004-08-04 05:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-05-10 14:52 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-05-10 14:51 . 2004-08-04 05:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll 2008-05-10 14:50 . 2003-03-24 16:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll 2008-05-10 14:48 . 2008-05-10 14:48 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-05-10 14:48 . 2008-05-10 14:48 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-05-10 14:48 . 2008-05-10 14:48 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-05-10 14:48 . 2008-05-10 14:48 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2008-05-10 14:48 . 2008-05-10 14:48 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-05-10 02:28 . 2008-05-10 02:28 <DIR> d-------- C:\54321 2008-05-10 02:13 . 2008-05-10 02:13 <DIR> d-------- C:\Deckard 2008-05-10 01:50 . 2005-06-28 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver 2008-05-10 01:50 . 2005-06-28 23:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc 2008-05-10 01:50 . 2005-06-28 23:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2008-05-10 01:50 . 2006-05-12 00:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek 2008-05-10 01:50 . 2008-05-10 01:50 <DIR> d-------- C:\Documents and Settings\Administrator 2008-05-10 01:50 . 2008-05-11 15:25 8,192 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG 2008-05-09 06:12 . 2005-06-28 23:51 <DIR> d-------- C:\Documents and Settings\Mario Filho\Application Data\You've Got Pictures Screensaver 2008-05-09 06:12 . 2005-06-28 23:59 <DIR> d-------- C:\Documents and Settings\Mario Filho\Application Data\Jasc Software Inc 2008-05-09 06:12 . 2005-06-28 23:43 <DIR> d-------- C:\Documents and Settings\Mario Filho\Application Data\Intel 2008-05-09 06:12 . 2006-05-12 00:41 <DIR> d--h----- C:\Documents and Settings\Mario Filho\Application Data\Gtek 2008-05-09 06:12 . 2008-05-09 06:12 <DIR> d-------- C:\Documents and Settings\Mario Filho 2008-05-09 06:12 . 2008-05-11 15:25 8,192 --ah----- C:\Documents and Settings\Mario Filho\ntuser.dat.LOG 2008-05-09 05:49 . 2008-03-15 00:39 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-05-09 02:13 . 2008-05-09 02:13 <DIR> d-------- C:\WINDOWS\dell 2008-05-09 01:28 . 2008-03-15 00:41 1,086,058 -ra------ C:\WINDOWS\SETFC.tmp 2008-05-09 01:28 . 2008-03-15 00:42 1,042,903 -ra------ C:\WINDOWS\SETF9.tmp 2008-05-09 01:28 . 2008-03-15 00:39 13,753 -ra------ C:\WINDOWS\SET108.tmp 2008-05-09 01:28 . 2008-03-15 00:43 7,334 --a--c--- C:\WINDOWS\system32\dllcache\wmerrenu.cat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-10 13:47 1,663 ----a-w C:\WINDOWS\inf\COMD9.tmp 2008-05-08 08:18 --------- d-----w C:\Program Files\eMule 2008-05-03 16:25 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-04-08 20:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-08 20:47 --------- d-----w C:\Program Files\AoA Audio Extractor 2008-04-06 23:28 --------- d-----w C:\Program Files\StreamboxVcrSuite2 2008-04-04 16:39 --------- d-----w C:\Program Files\CUE Splitter 2008-04-04 16:20 --------- d-----w C:\Program Files\Monkey's Audio 2008-04-04 16:12 --------- d-----w C:\Program Files\Winamp 2008-03-22 15:56 --------- d-----w C:\Program Files\Nero 2008-03-22 15:56 --------- d-----w C:\Program Files\Common Files\Ahead 2008-03-15 04:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-15 02:01 277,504 ----a-w C:\WINDOWS\gmoer.dll 2008-03-14 23:42 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll 2008-03-14 23:41 98,304 ----a-w C:\WINDOWS\system32\rtm.dll 2008-03-14 23:40 994,304 ----a-w C:\WINDOWS\system32\msgina.dll 2008-03-14 23:39 97,280 ----a-w C:\WINDOWS\system32\loadperf.dll 2008-03-14 23:38 97,280 ----a-w C:\WINDOWS\system32\dpcdll.dll 2008-03-14 23:37 98,304 ----a-w C:\WINDOWS\system32\cscript.exe 2008-03-14 21:35 --------- d-----w C:\Program Files\Sophos 2008-03-14 21:14 --------- d-----w C:\Program Files\Windows Defender 2008-03-14 20:39 32,768 -c--a-w C:\WINDOWS\system32\instlsp.exe 2008-03-14 01:29 --------- d-----w C:\Program Files\Lavasoft 2008-03-13 21:41 --------- d-----w C:\Program Files\BurnAware Free Edition 2008-03-13 21:40 --------- d-----w C:\Program Files\Astonsoft 2008-03-13 20:15 --------- d-----w C:\Program Files\ahead 2005-07-26 16:16 439 -c--a-w C:\Program Files\DivXPlayer.dbf 2005-05-13 17:12 217,073 --sha-r C:\WINDOWS\meta4.exe 2005-10-24 11:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe 2005-10-13 21:27 422,400 --sha-r C:\WINDOWS\x2.64.exe 2005-10-07 19:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll 2005-07-14 12:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll 2005-06-26 15:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-21 22:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll 2005-07-24 00:33 56 -csha-r C:\WINDOWS\system32\E4CB67060B.sys 2004-01-25 00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll 2005-08-14 15:08 13,146 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys 2006-04-27 10:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll 2005-02-28 13:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe 2004-01-25 00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll . ((((((((((((((((((((((((((((( snapshot@2008-05-10_ 2.05.44.45 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-10 00:59:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-11 13:50:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-11 01:44:36 819,200 ----a-w C:\WINDOWS\gmer.dll - 2008-05-09 04:52:51 344,064 ---ha-w C:\WINDOWS\repair\ntuser.dat + 2008-05-10 13:50:25 344,064 ---ha-w C:\WINDOWS\repair\ntuser.dat + 2008-05-10 12:37:26 22,220 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{DB1F9AAB-E300-4591-BD59-CA2A5EC9CE38}.bin - 2008-05-09 05:00:21 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-05-10 13:58:01 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-05-09 05:00:21 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-05-10 13:58:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-05-10 13:57:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat - 2008-05-09 05:00:21 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-05-10 13:58:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-05-11 01:44:36 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys - 2008-05-09 04:49:08 26,860 -c--a-w C:\WINDOWS\system32\emptyregdb.dat + 2008-05-10 13:47:15 26,828 -c--a-w C:\WINDOWS\system32\emptyregdb.dat - 2008-05-09 05:08:09 55,522 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-05-10 14:04:08 55,522 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-05-09 05:08:09 386,598 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-05-10 14:04:08 386,598 ----a-w C:\WINDOWS\system32\perfh009.dat + 2004-08-04 04:00:00 921,088 ----a-w C:\WINDOWS\WinSxS\InstallTemp\69057\comctl32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-15 00:37 15360] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] "eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2007-05-13 15:57 5308416] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-03-15 00:37 15360] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 17:38 39264] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00 44544] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.XVID"= xvid.dll "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\option] UseAlternateShell REG_DWORD 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot] "AlternateShell"= cmd.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\SopCast\\SopCast.exe"= "C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"= "C:\\WINDOWS\\system32\\dpnsvr.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List] "19684:TCP"= 19684:TCP:emule "4662:TCP"= 4662:TCP:Router "4672:UDP"= 4672:UDP:emule protocol "4665:UDP"= 4665:UDP:source asking on servers "4711:TCP"= 4711:TCP:webserver "4232:TCP"= 4232:TCP:emule "4232:UDP"= 4232:UDP:Emule "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings] "AllowInboundEchoRequest"= 1 (0x1) R3 NeroCd2k;NeroCd2k;C:\WINDOWS\system32\drivers\NeroCd2k.sys [2001-04-16 11:54] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 12:11] S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\33.tmp [2007-08-14 08:12] S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2008-03-15 00:38] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{cc607771-da82-11dc-8bf6-000e50f7b975}] \Shell\AutoRun\command - E:\RavMon.exe \Shell\explore\Command - E:\RavMon.exe -e \Shell\open\Command - E:\RavMon.exe *Newly Created Service* - MEMSWEEP2 . Contents of the 'Scheduled Tasks' folder "2008-05-03 10:17:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-11 13:54:45 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-04-19 14:09:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2007-07-04 14:09:50 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-11 15:54:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MEMSWEEP2] "ImagePath"="\??\C:\WINDOWS\system32\33.tmp" . Completion time: 2008-05-11 15:56:14 ComboFix-quarantined-files.txt 2008-05-11 14:55:47 ComboFix2.txt 2008-05-10 14:28:49 ComboFix3.txt 2008-05-10 01:42:24 ComboFix4.txt 2008-05-10 01  03Pre-Run: 10,710,396,928 bytes free Post-Run: 10,712,514,560 bytes free 199 --- E O F --- 2008-05-10 12:37:13 . Thanks for your help!!!! Last edited by Pigmaleon : 05-13-2008 at 09:03 AM. |
|
     
|
|
| Thread Tools | |
|
|
