|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-09-2009, 02:54 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 4
OS: XP SP2
|
BackDoor.Generic11.ZNE infection. PLEASE help!?
Ok, here we go.
This is my first time posting a problem like this. I can USUALLY fix a virus or a malware problem myself, but THIS one has got me stumped.  Symptoms are: Google being redirected. Bad pop-ups. Slow speed. And freezes. Prior to posting here, I ran several scans. I ran AVG, Spybot, and Adaware multiple times. In both Safe Mode and normal. Every time I run AVG, it finds a bunch of infected places. It appears that my problem is this: BackDoor.Generic11.ZNE It shows that name behind MULTIPLE locations, starting with 30 occurances like this: "\\?\globalroot\systemroot\system32\SKYNETqmettvad.dll -- Trojan horse BackDoor.Generic11.ZNE It also shows itself attached to a bunch of my processes (if not ALL of the running processes). I'm pretty sure I have followed your posting guidelines, as requested. I attached the attach.txt & ark.txt files in the .zip folder. And here are the DDS scan results. ============== DDS Scan ============== DDS (Ver_09-06-26.01) - NTFSx86 Run by Administrator at 3:29:10.43 on Thu 07/09/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1334 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\CACHEM~1\CachemanXP.exe C:\Program Files\Prevx\prevx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\MSN Messenger\usnsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Prevx\prevx.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Lexmark 2300 Series\lxcgmon.exe C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\WINDOWS\system32\lxcgcoms.exe C:\Program Files\Palm\Hotsync.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\Administrator\Desktop\text.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Administrator\My Documents\Temporary ****\dds(2).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.myspace.com/ BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: {0483894e-2422-45e0-8384-021aff1af3cd} - iOpus Internet Macros EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe" uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe" mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe" mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16 mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe uPolicies-explorer: NoViewOnDrive = 0 (0x0) uPolicies-explorer: NoThemesTab = 0 (0x0) uPolicies-explorer: HideClock = 0 (0x0) uPolicies-explorer: NoStartMenuSubFolders = 0 (0x0) uPolicies-explorer: NoCommonGroups = 0 (0x0) uPolicies-explorer: NoPrinters = 0 (0x0) uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0) uPolicies-explorer: NoChangeAnimation = 0 (0x0) uPolicies-explorer: NoSMBalloonTip = 0 (0x0) uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) uPolicies-system: NoColorChoice = 0 (0x0) uPolicies-system: NoSizeChoice = 0 (0x0) uPolicies-system: NoVisualStyleChoice = 0 (0x0) uPolicies-system: NoDispSettingsPage = 0 (0x0) uPolicies-system: NoSecCpl = 0 (0x0) IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll SSODL: CHFEJFE0 - {42EA2746-0D4B-3B9E-0274-1FB17D2B65DC} - No File LSA: Authentication Packages = msv1_0 c:\windows\system32\ddabx.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\jxe8cuee.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q= FF - prefs.js: browser.search.selectedEngine - Fast Browser Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=4&tid={C2717B08-3BC9-6B16-FC26-88235BDBBAC3}&q= FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\google\google gears\firefox\components\gears.dll FF - component: c:\program files\mozilla firefox\components\WWShow.dll FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-8 64160] R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-6-26 22024] R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-6-26 27656] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-5 327688] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-5 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-5 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-5 298776] R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-9-24 3744] R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2007-11-12 245248] R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-6-26 4368952] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456] R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-9-24 3904] R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2008-12-21 135168] S2 gupdate1c9d05a106e771e;Google Update Service (gupdate1c9d05a106e771e);c:\program files\google\update\GoogleUpdate.exe [2009-5-8 133104] S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-14 54408] S3 NAVAP;NAVAP;c:\windows\system32\drivers\NAVAP.SYS [2001-8-3 182896] S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton systemworks\norton antivirus\Navapsvc.exe [2001-8-16 115792] S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070103.066\NAVENG.Sys [2007-1-5 80408] S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070103.066\NavEx15.Sys [2007-1-5 833048] =============== Created Last 30 ================ 2009-07-08 16:43 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-07-05 22:22 <DIR> --d-h--- C:\$AVG8.VAULT$ 2009-07-05 22:01 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-07-05 22:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-07-05 22:01 327,688 a------- c:\windows\system32\drivers\avgldx86.sys 2009-07-05 22:01 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-07-05 22:01 <DIR> --d----- c:\program files\AVG 2009-07-05 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8 2009-06-30 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\16995154 2009-06-28 08:08 <DIR> --d----- c:\program files\Yahoo! 2009-06-26 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-06-26 17:16 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-06-26 17:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com 2009-06-26 14:24 <DIR> --d----- c:\program files\common files\iS3 2009-06-26 14:24 <DIR> --d----- c:\program files\STOPzilla! 2009-06-26 14:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZILLAbar 2009-06-26 14:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla! 2009-06-26 14:04 <DIR> --d----- c:\program files\DAMN NFO Viewer 2009-06-26 13:30 27,656 a------- c:\windows\system32\drivers\pxsec.sys 2009-06-26 13:30 22,024 a------- c:\windows\system32\drivers\pxscan.sys 2009-06-26 13:30 <DIR> --d----- c:\program files\Prevx 2009-06-26 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI 2009-06-21 00:34 15,688 a------- c:\windows\system32\lsdelete.exe 2009-06-19 17:03 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-06-19 13:03 <DIR> --d----- c:\docume~1\admini~1\applic~1\digifast 2009-06-19 12:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\cft 2009-06-19 12:53 <DIR> --d----- c:\program files\WWShow 2009-06-19 12:48 <DIR> --d----- c:\program files\Jcore 2009-06-19 12:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\pridl 2009-06-19 12:05 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL 2009-06-19 12:02 <DIR> --d----- c:\windows\Replay Media Catcher 2009-06-19 11:52 <DIR> --d----- c:\program files\IObit 2009-06-19 11:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\IObit ==================== Find3M ==================== 2009-06-19 17:08 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll 2009-05-05 10:41 262,144 a------- c:\windows\system32\wrap_oal.dll 2009-05-05 10:41 86,016 a------- c:\windows\system32\OpenAL32.dll 2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll 2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll 2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys 2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll 2008-08-18 10:43 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2008-08-18 10:43 88 ---shr-- c:\docume~1\alluse~1\applic~1\7BCEEA7522.sys 2007-01-21 12:48 49,024 ac------ c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT 2006-09-03 12:18 22,768 ac------ c:\documents and settings\administrator\usbsermpt.sys 2006-09-03 12:18 25,600 a------- c:\documents and settings\administrator\usbsermptxp.sys 2008-03-01 14:07 56 ---shr-- c:\windows\system32\2275EACE7B.sys 2007-03-09 02:12 27,648 ac-sh--- c:\windows\system32\AVSredirect.dll 2008-03-01 14:07 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 3:31:14.06 =============== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-09-2009, 10:58 AM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint
|
Re: BackDoor.Generic11.ZNE infection. PLEASE help!?
hi.
Welcome to TSF once again. You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe ------------------------------------------------------------------------- Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper. ----------------------------------------------------------------------- I am sorry to inform you that one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? ---------------------------------------------------------------------- Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. -------------------------------------------------------------------------- Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2  
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:  Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe. If I have been helping you and do not reply within 24 hours, please send me a message.
 |
|
|
|
|
07-09-2009, 09:36 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 4
OS: XP SP2
|
Re: BackDoor.Generic11.ZNE infection. PLEASE help!?
OK....first of all ------- THANKS, for your timely response to my questions/problem.
I followed your directions, to the letter. Here's the log from ComboFix. ----------------------------------------------- ComboFix 09-07-09.06 - Administrator 07/09/2009 22:02.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1504 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\ADMINI~1\APPLIC~1\digifast c:\docume~1\ADMINI~1\APPLIC~1\digifast\config.cfg c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Cpvff.stt c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Administrator\protect.dll c:\documents and settings\Administrator\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\Administrator\Start Menu\Programs\Startup\ChkDisk.lnk c:\documents and settings\LocalService\protect.dll c:\program files\Jcore c:\program files\WWShow c:\recycler\NPROTECT c:\windows\Installer\11ef504.msi c:\windows\Installer\23a38a4.msp c:\windows\Installer\28b3fb.msi c:\windows\Installer\d7158.msp c:\windows\Installer\WMEncoder.msi c:\windows\patch.exe c:\windows\system32\_000053_.tmp.dll c:\windows\system32\autochk.dll c:\windows\system32\config\systemprofile\protect.dll c:\windows\system32\dobe~1 c:\windows\system32\drivers\SKYNETsfolwxww.sys c:\windows\system32\open.ico c:\windows\system32\SKYNETbyusivib.dll c:\windows\system32\SKYNETksrubxjc.dat c:\windows\system32\SKYNETqmettvad.dll c:\windows\system32\SKYNETtymexmey.dat c:\windows\Sysvxd.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_SKYNETrsvpabrn -------\Legacy_NPF ((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 ))))))))))))))))))))))))))))))) . 2025-09-22 03:46 . 2005-09-22 17:19 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Symantec 2025-09-22 03:45 . 2008-12-22 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2025-09-22 03:45 . 2007-01-03 03:48 -------- d-----w- c:\program files\Common Files\Symantec Shared 2020-09-22 16:42 . 2008-12-22 00:13 -------- d-----w- c:\program files\Norton SystemWorks 2009-07-08 21:43 . 2009-07-08 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-07-06 03:22 . 2009-07-08 22:19 -------- d--h--w- C:\$AVG8.VAULT$ 2009-07-06 03:01 . 2009-07-06 03:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-07-06 03:01 . 2009-07-06 03:01 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-07-06 03:01 . 2009-07-06 03:01 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-07-06 03:01 . 2009-07-06 03:01 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-07-06 03:01 . 2009-07-09 23:03 -------- d-----w- c:\windows\system32\drivers\Avg 2009-07-06 03:01 . 2009-07-06 03:01 -------- d-----w- c:\program files\AVG 2009-07-06 03:01 . 2009-07-06 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-30 21:31 . 2009-07-06 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\16995154 2009-06-28 13:08 . 2009-06-28 13:08 -------- d-----w- c:\program files\Yahoo! 2009-06-26 22:17 . 2009-06-26 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-06-26 22:16 . 2009-06-29 22:00 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com 2009-06-26 22:16 . 2009-06-29 22:00 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-06-26 19:24 . 2009-06-26 19:24 -------- d-----w- c:\program files\Common Files\iS3 2009-06-26 19:24 . 2009-06-29 22:05 -------- d-----w- c:\program files\STOPzilla! 2009-06-26 19:24 . 2009-06-29 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2009-06-26 19:24 . 2009-06-29 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\ZILLAbar 2009-06-26 19:04 . 2009-06-26 19:04 -------- d-----w- c:\program files\DAMN NFO Viewer 2009-06-26 18:30 . 2009-06-26 18:30 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys 2009-06-26 18:30 . 2009-06-26 18:30 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys 2009-06-26 18:30 . 2009-06-26 18:30 -------- d-----w- c:\program files\Prevx 2009-06-26 18:30 . 2009-07-10 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-06-21 05:34 . 2009-06-19 22:09 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-06-19 22:03 . 2009-06-19 22:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-06-19 17:58 . 2009-06-29 15:55 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\cft 2009-06-19 17:48 . 2009-06-29 15:55 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\pridl 2009-06-19 17:05 . 2009-06-29 22:01 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL 2009-06-19 17:02 . 2009-06-19 17:59 -------- d-----w- c:\windows\Replay Media Catcher 2009-06-19 16:52 . 2009-06-19 16:52 -------- d-----w- c:\program files\IObit 2009-06-19 16:52 . 2009-06-19 16:52 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\IObit 2009-06-17 23:14 . 2009-06-17 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2020-09-22 16:29 . 2005-09-22 07:33 -------- d-----w- c:\program files\Norton AntiVirus 2009-07-09 02:41 . 2005-11-20 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-30 13:07 . 2008-10-12 20:42 -------- d-----w- c:\program files\Lx_cats 2009-06-29 15:53 . 2008-10-29 00:55 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\DNA 2009-06-28 13:08 . 2006-08-08 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2009-06-26 21:40 . 2008-10-29 00:55 -------- d-----w- c:\program files\DNA 2009-06-20 00:30 . 2009-01-27 05:15 -------- d-----w- c:\program files\Google 2009-06-19 22:08 . 2009-06-09 02:35 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-06-19 22:03 . 2008-10-21 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-06-19 22:03 . 2005-09-19 03:17 -------- d-----w- c:\program files\Lavasoft 2009-06-19 15:52 . 2007-04-04 22:03 -------- d-----w- c:\program files\WM Recorder 10 2009-06-19 15:28 . 2007-04-17 19:42 -------- d-----w- c:\program files\Replay AV 8 2009-06-17 23:30 . 2005-09-21 16:49 82616 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-17 22:53 . 2005-12-20 03:34 -------- d-----w- c:\program files\Microsoft ActiveSync 2009-06-17 01:56 . 2008-10-29 00:56 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\BitTorrent 2009-06-15 01:48 . 2009-02-17 15:02 -------- d-----w- c:\program files\Auction Sentry Deluxe 2009-06-10 12:17 . 2005-09-19 02:43 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-10 12:13 . 2009-04-08 11:53 -------- d-----w- c:\program files\Common Files\Apple 2009-06-04 19:13 . 2008-10-29 00:55 -------- d-----w- c:\program files\BitTorrent 2009-06-02 22:30 . 2009-06-02 22:29 -------- d-----w- c:\program files\iTunes 2009-06-02 22:29 . 2009-06-02 22:29 -------- d-----w- c:\program files\iPod 2009-06-02 22:26 . 2007-07-17 00:30 -------- d-----w- c:\program files\QuickTime 2009-05-26 15:44 . 2009-04-30 05:54 -------- d-----w- c:\program files\Pinnacle 2009-05-25 22:45 . 2008-10-29 00:31 -------- d-----w- c:\program files\Common Files\AVSMedia 2009-05-25 22:31 . 2009-05-25 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU 2009-05-23 02:17 . 2009-04-19 01:06 -------- d-----w- c:\program files\Palm 2009-05-07 15:44 . 2001-08-23 15:00 344064 ----a-w- c:\windows\system32\localspl.dll 2009-05-05 15:41 . 2009-05-05 15:41 86016 ----a-w- c:\windows\system32\OpenAL32.dll 2009-05-05 15:41 . 2009-05-05 15:41 262144 ----a-w- c:\windows\system32\wrap_oal.dll 2009-04-29 04:56 . 2005-06-18 04:49 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 09:58 . 2001-08-23 15:00 1846656 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 15:11 . 2005-09-19 00:34 584192 ----a-w- c:\windows\system32\rpcrt4.dll 2008-03-01 19:07 . 2008-03-01 19:07 56 --sh--r- c:\windows\system32\2275EACE7B.sys 2007-03-09 07:12 . 2007-03-09 07:12 27648 -csha-w- c:\windows\system32\AVSredirect.dll 2008-03-01 19:07 . 2008-03-01 18:46 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704] "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208] "LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-06 1948440] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoViewOnDrive"= 0 (0x0) "NoStartMenuSubFolders"= 0 (0x0) "NoCommonGroups"= 0 (0x0) "NoPrinters"= 0 (0x0) "NoRecentDocsNetHood"= 0 (0x0) "NoChangeAnimation"= 0 (0x0) "NoSMBalloonTip"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-07-06 03:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"=APTRRNTm.dll "wave"=APTRRNTm.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ScreenHunter 4.0 Free.lnk] backup=c:\windows\pss\ScreenHunter 4.0 Free.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk.disabled] backup=c:\windows\pss\Kodak EasyShare software.lnk.disabledCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk.disabled] backup=c:\windows\pss\Kodak software updater.lnk.disabledCommon Startup [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe "Dwqtow"="c:\program files\?ecurity\u?erinit.exe" "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "RegistryMechanic"= "NAV Agent"=c:\progra~1\NORTON~2\NORTON~3\navapw32.exe "<NO NAME>"= "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot "SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe "SoundMan"=SOUNDMAN.EXE "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" "VTTimer"=VTTimer.exe "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" /s "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" "LXCGCATS"=rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/8/2009 9:35 PM 64160] R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [6/26/2009 1:30 PM 22024] R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [6/26/2009 1:30 PM 27656] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/5/2009 10:01 PM 327688] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/5/2009 10:01 PM 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/5/2009 10:01 PM 298776] R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [9/24/2005 11:10 PM 3744] R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [11/12/2007 10:07 AM 245248] R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [6/26/2009 1:30 PM 4368952] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456] R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [9/24/2005 11:10 PM 3904] R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [12/21/2008 7:08 PM 135168] S2 gupdate1c9d05a106e771e;Google Update Service (gupdate1c9d05a106e771e);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 10:55 PM 133104] . Contents of the 'Scheduled Tasks' folder 2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:11] 2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 03:55] 2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 03:55] 2009-07-04 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job - c:\progra~1\NORTON~2\NORTON~3\NAVW32.exe [2001-08-17 00:15] 2009-07-03 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job - c:\program files\Common Files\Symantec Shared\NMAIN.EXE [2001-07-28 19:03] 2007-03-19 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-12-22 18:23] 2009-04-22 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 03:18] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll SSODL-CHFEJFE0-{42EA2746-0D4B-3B9E-0274-1FB17D2B65DC} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.myspace.com/ IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\jxe8cuee.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q= FF - prefs.js: browser.search.selectedEngine - Fast Browser Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=4&tid={C2717B08-3BC9-6B16-FC26-88235BDBBAC3}&q= FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-09 22:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,7a,f5,4b,e8,66, 47,1a,7e,e2,63,26,f1,3f,c8,ff,68,53,23,58,9d,8c,28,a3,ec,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,cd,c5,f0,3d,83, 0a,74,66,6a,9c,d6,61,af,45,84,18,67,3d,6d,46,b0,01,2f,75,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,ac,23,c7,64,5f, c3,39,57,ff,7c,85,e0,43,d4,0e,fe,6b,aa,df,0e,f9,5c,56,3c,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,2e,71,c1,4f,4c, f7,d0,34,86,8c,21,01,be,91,eb,e7,27,f0,64,a4,4d,fd,82,02,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,c2,0d,4b,c9,37, d7,6e,2e,f5,1d,4d,73,a8,13,5c,05,95,59,70,d1,1a,64,4a,2a,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,d3,b8,fb,ca,fd, 7a,e2,b6,df,20,58,62,78,6b,cf,c8,b2,3c,e1,a2,9f,01,8a,3e,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,5d,46,15,f1,74, 70,77,5e,fb,a7,78,e6,12,2f,9a,ea,3f,df,ae,15,9b,5e,2c,dd,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,2a,f6,73,f8,ae, 45,7a,45,01,3a,48,fc,e8,04,4a,f1,55,c3,fb,1d,17,fb,e4,c4,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,3e,75,de,9a,93, 1d,e8,ee,f6,0f,4e,58,98,5b,89,c9,5d,85,a9,97,8d,ca,0e,c0,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,fa,70,62,f2,97, f9,d2,6d,3d,ce,ea,26,2d,45,aa,78,87,58,57,dd,94,e2,c6,c5,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,9c,f7,fd,1a,43, b7,65,c6,2a,b7,cc,b5,b9,7f,41,e7,08,18,cd,55,fb,eb,aa,d0,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,da,29,e7,36,a5, e6,fc,fb,6c,43,2d,1e,aa,22,2f,9c,7a,6f,8c,1b,fa,b3,ad,cc,6c,43,2d,1e,aa,22,\ . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\NORTON~2\SPEEDD~1\NOPDB.EXE c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\program files\MSN Messenger\usnsvc.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\lxcgcoms.exe c:\progra~1\MICROS~3\rapimgr.exe . ************************************************************************** . Completion time: 2009-07-10 22:30 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-10 03:29 Pre-Run: 49,888,817,152 bytes free Post-Run: 49,784,655,872 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 365 --- E O F --- 2009-06-11 06:04 Last edited by IL_Drifter; 07-09-2009 at 09:38 PM. Reason: I misspelled, and I am a perfectionist. LOL |
|
|
|
|
07-10-2009, 11:53 AM
|
#4 (permalink) | |
|
Analyst, Security Team
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint
|
Re: BackDoor.Generic11.ZNE infection. PLEASE help!?
hi.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. -------------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE. 3. Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. **Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
There should be a file named [4]-Submit_date@time.zip with today's date, located here: C:\QooBox\Quarantine\[4]-Submit_date@time.zip Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4 Please let me know if you successfully submitted the file. Thanks. ------------------------------------------------------------------------ Please uninstall the following. Using windows ADD/REMOVE program at the control panel. Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system) J2SE Runtime Environment 5.0 Update 6 ---------------------------------------------------------------------- These indicate some settings have been changed These are "Change the way Security Center Alerts Me" in Control Panel > Security Center. [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 This means they are turned off. If that's your choice, that's fine, otherwise tick the boxes to turn the notifications back on. ------------------------------------------------------------------------ Run ESET Online Scan *Close any open programs *Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE. Go here to run an online scannner from ESET.
------------------------------------------------------------------------- Did you already uninstall your Symantec/Norton Antivirus? They are still some part of that Secuirty suite that are still installed. Let me know. Hows your computer now? In your reply, please post C:\combofix.txt ESET scan result Answer to my questions Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe. If I have been helping you and do not reply within 24 hours, please send me a message.
|
|
|
|
|
|
07-11-2009, 04:20 AM
|
#5 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 4
OS: XP SP2
|
Re: BackDoor.Generic11.ZNE infection. PLEASE help!?
Ahhhhhh......I am now starting to see by looking over these scan results, exactly what my son has been up to, and how he got this computer so messed up.
As anyone can see, by looking at the ESET scan log, he has been using Patches & Keygens. Or at least he was trying to. LOL I guess this should be a lesson, to anyone reading this..... If you use program patches and/keygens, eventually, you are going to get slammed with something like this. I wonder how many other computers came home from his college dorm building with this same exact problem!?!?!? LOL  ____________________________________ Ok, here is everything you asked for. I submitted the file named [4]-Submit_date@time.zip to http://www.bleepingcomputer.com I uninstalled the outdated version of Java J2SE Runtime Environment 5.0 Update 6 I'd like to leave the settings the way they are on the Security Center.....JUST FOR NOW. ____________________________________ Here is the Combofix log. ComboFix 09-07-09.08 - Administrator 07/10/2009 22:03.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1415 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: c:\windows\system32\2275EACE7B.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\2275EACE7B.sys . ((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 ))))))))))))))))))))))))))))))) . 2025-09-22 03:46 . 2005-09-22 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec 2025-09-22 03:45 . 2008-12-22 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2025-09-22 03:45 . 2007-01-03 03:48 -------- d-----w- c:\program files\Common Files\Symantec Shared 2020-09-22 16:42 . 2008-12-22 00:13 -------- d-----w- c:\program files\Norton SystemWorks 2009-07-08 21:43 . 2009-07-08 21:46 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-07-06 13:16 . 2009-07-06 03:01 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-07-06 03:22 . 2009-07-10 13:43 -------- d--h--w- C:\$AVG8.VAULT$ 2009-07-06 03:01 . 2009-07-06 03:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-07-06 03:01 . 2009-07-06 03:01 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-07-06 03:01 . 2009-07-06 03:01 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-07-06 03:01 . 2009-07-06 03:01 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-07-06 03:01 . 2009-07-10 23:03 -------- d-----w- c:\windows\system32\drivers\Avg 2009-07-06 03:01 . 2009-07-06 03:01 -------- d-----w- c:\program files\AVG 2009-07-06 03:01 . 2009-07-06 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-30 21:31 . 2009-07-06 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\16995154 2009-06-28 13:08 . 2009-05-27 00:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe 2009-06-28 13:08 . 2009-06-28 13:08 -------- d-----w- c:\program files\Yahoo! 2009-06-26 22:17 . 2009-06-26 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-06-26 22:16 . 2009-06-29 22:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-06-26 22:16 . 2009-06-29 22:00 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-06-26 19:24 . 2009-06-26 19:24 -------- d-----w- c:\program files\Common Files\iS3 2009-06-26 19:24 . 2009-06-29 22:05 -------- d-----w- c:\program files\STOPzilla! 2009-06-26 19:24 . 2009-06-29 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2009-06-26 19:24 . 2009-06-29 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\ZILLAbar 2009-06-26 19:04 . 2009-06-26 19:04 -------- d-----w- c:\program files\DAMN NFO Viewer 2009-06-26 18:30 . 2009-06-26 18:30 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys 2009-06-26 18:30 . 2009-06-26 18:30 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys 2009-06-26 18:30 . 2009-06-26 18:30 -------- d-----w- c:\program files\Prevx 2009-06-26 18:30 . 2009-07-10 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-06-21 05:34 . 2009-06-19 22:09 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-06-19 22:09 . 2009-07-03 22:11 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-06-19 22:09 . 2009-07-06 22:10 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-06-19 22:09 . 2009-07-03 22:11 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-06-19 22:09 . 2009-06-19 22:09 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-06-19 22:09 . 2009-07-03 22:11 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-06-19 22:09 . 2009-07-03 22:11 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-06-19 22:09 . 2009-07-03 22:11 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-06-19 22:08 . 2009-07-06 22:10 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2009-06-19 22:08 . 2009-07-03 22:11 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-06-19 22:08 . 2009-07-03 22:11 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-06-19 22:08 . 2009-06-19 22:08 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys 2009-06-19 22:08 . 2009-07-03 22:11 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe 2009-06-19 22:08 . 2009-07-03 22:11 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-06-19 22:08 . 2009-07-03 22:11 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-06-19 22:08 . 2009-07-03 22:11 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-06-19 22:08 . 2009-07-06 22:10 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-06-19 22:08 . 2009-07-03 22:11 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-06-19 22:08 . 2009-07-03 22:11 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-06-19 22:08 . 2009-07-03 22:11 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2009-06-19 22:03 . 2009-06-19 22:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-06-19 22:03 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-06-19 17:58 . 2009-06-29 15:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\cft 2009-06-19 17:48 . 2009-06-29 15:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\pridl 2009-06-19 17:05 . 2009-06-29 22:01 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL 2009-06-19 17:02 . 2009-06-19 17:59 -------- d-----w- c:\windows\Replay Media Catcher 2009-06-19 16:52 . 2009-06-19 16:52 -------- d-----w- c:\program files\IObit 2009-06-19 16:52 . 2009-06-19 16:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit 2009-06-17 23:14 . 2009-06-17 23:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2020-09-22 16:29 . 2005-09-22 07:33 -------- d-----w- c:\program files\Norton AntiVirus 2009-07-09 02:41 . 2005-11-20 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-30 13:07 . 2008-10-12 20:42 -------- d-----w- c:\program files\Lx_cats 2009-06-29 15:53 . 2008-10-29 00:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA 2009-06-28 13:08 . 2006-08-08 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2009-06-26 21:40 . 2008-10-29 00:55 -------- d-----w- c:\program files\DNA 2009-06-20 00:30 . 2009-01-27 05:15 -------- d-----w- c:\program files\Google 2009-06-19 22:08 . 2009-06-09 02:35 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-06-19 22:03 . 2008-10-21 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-06-19 22:03 . 2005-09-19 03:17 -------- d-----w- c:\program files\Lavasoft 2009-06-19 15:52 . 2007-04-04 22:03 -------- d-----w- c:\program files\WM Recorder 10 2009-06-19 15:28 . 2007-04-17 19:42 -------- d-----w- c:\program files\Replay AV 8 2009-06-17 23:30 . 2005-09-21 16:49 82616 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-17 22:53 . 2005-12-20 03:34 -------- d-----w- c:\program files\Microsoft ActiveSync 2009-06-17 01:56 . 2008-10-29 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent 2009-06-15 01:48 . 2009-02-17 15:02 -------- d-----w- c:\program files\Auction Sentry Deluxe 2009-06-10 12:17 . 2005-09-19 02:43 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-10 12:13 . 2009-04-08 11:53 -------- d-----w- c:\program files\Common Files\Apple 2009-06-04 19:13 . 2008-10-29 00:55 -------- d-----w- c:\program files\BitTorrent 2009-06-02 22:30 . 2009-06-02 22:29 -------- d-----w- c:\program files\iTunes 2009-06-02 22:29 . 2009-06-02 22:29 -------- d-----w- c:\program files\iPod 2009-06-02 22:26 . 2007-07-17 00:30 -------- d-----w- c:\program files\QuickTime 2009-06-02 11:49 . 2009-06-02 11:49 390664 ----a-w- c:\documents and settings\Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2009-05-30 17:50 . 2009-05-30 17:50 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-05-26 15:44 . 2009-04-30 05:54 -------- d-----w- c:\program files\Pinnacle 2009-05-25 22:45 . 2008-10-29 00:31 -------- d-----w- c:\program files\Common Files\AVSMedia 2009-05-25 22:31 . 2009-05-25 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU 2009-05-23 02:17 . 2009-04-19 01:06 -------- d-----w- c:\program files\Palm 2009-05-07 15:44 . 2001-08-23 15:00 344064 ----a-w- c:\windows\system32\localspl.dll 2009-05-05 15:41 . 2009-05-05 15:41 86016 ----a-w- c:\windows\system32\OpenAL32.dll 2009-05-05 15:41 . 2009-05-05 15:41 262144 ----a-w- c:\windows\system32\wrap_oal.dll 2009-04-30 04:16 . 2009-04-30 04:16 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-04-30 04:01 . 2009-04-30 04:01 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_11\lzma.dll 2009-04-29 04:56 . 2005-06-18 04:49 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 09:58 . 2001-08-23 15:00 1846656 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 15:11 . 2005-09-19 00:34 584192 ----a-w- c:\windows\system32\rpcrt4.dll 2007-03-09 07:12 . 2007-03-09 07:12 27648 -csha-w- c:\windows\system32\AVSredirect.dll 2008-03-01 19:07 . 2008-03-01 18:46 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704] "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208] "LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-06 1948440] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoViewOnDrive"= 0 (0x0) "NoStartMenuSubFolders"= 0 (0x0) "NoCommonGroups"= 0 (0x0) "NoPrinters"= 0 (0x0) "NoRecentDocsNetHood"= 0 (0x0) "NoChangeAnimation"= 0 (0x0) "NoSMBalloonTip"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-07-06 03:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"=APTRRNTm.dll "wave"=APTRRNTm.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ScreenHunter 4.0 Free.lnk] backup=c:\windows\pss\ScreenHunter 4.0 Free.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk.disabled] backup=c:\windows\pss\Kodak EasyShare software.lnk.disabledCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk.disabled] backup=c:\windows\pss\Kodak software updater.lnk.disabledCommon Startup [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "RegistryMechanic"= "NAV Agent"=c:\progra~1\NORTON~2\NORTON~3\navapw32.exe "<NO NAME>"= "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot "SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe "SoundMan"=SOUNDMAN.EXE "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" "VTTimer"=VTTimer.exe "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" /s "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" "LXCGCATS"=rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/8/2009 9:35 PM 64160] R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [6/26/2009 1:30 PM 22024] R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [6/26/2009 1:30 PM 27656] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/5/2009 10:01 PM 327688] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/5/2009 10:01 PM 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/5/2009 10:01 PM 298776] R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [9/24/2005 11:10 PM 3744] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456] R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [9/24/2005 11:10 PM 3904] R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [12/21/2008 7:08 PM 135168] S2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [11/12/2007 10:07 AM 245248] S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [6/26/2009 1:30 PM 4368952] S2 gupdate1c9d05a106e771e;Google Update Service (gupdate1c9d05a106e771e);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 10:55 PM 133104] . Contents of the 'Scheduled Tasks' folder 2009-07-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:11] 2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 03:55] 2009-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-09 03:55] 2009-07-11 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job - c:\progra~1\NORTON~2\NORTON~3\NAVW32.exe [2001-08-17 00:15] 2009-07-10 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job - c:\program files\Common Files\Symantec Shared\NMAIN.EXE [2001-07-28 19:03] 2007-03-19 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-12-22 18:23] 2009-04-22 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 03:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.myspace.com/ IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jxe8cuee.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q= FF - prefs.js: browser.search.selectedEngine - Fast Browser Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=4&tid={C2717B08-3BC9-6B16-FC26-88235BDBBAC3}&q= FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-10 22:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,7a,f5,4b,e8,66, 47,1a,7e,e2,63,26,f1,3f,c8,ff,68,53,23,58,9d,8c,28,a3,ec,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,cd,c5,f0,3d,83, 0a,74,66,6a,9c,d6,61,af,45,84,18,67,3d,6d,46,b0,01,2f,75,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,ac,23,c7,64,5f, c3,39,57,ff,7c,85,e0,43,d4,0e,fe,6b,aa,df,0e,f9,5c,56,3c,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,2e,71,c1,4f,4c, f7,d0,34,86,8c,21,01,be,91,eb,e7,27,f0,64,a4,4d,fd,82,02,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,c2,0d,4b,c9,37, d7,6e,2e,f5,1d,4d,73,a8,13,5c,05,95,59,70,d1,1a,64,4a,2a,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,d3,b8,fb,ca,fd, 7a,e2,b6,df,20,58,62,78,6b,cf,c8,b2,3c,e1,a2,9f,01,8a,3e,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,5d,46,15,f1,74, 70,77,5e,fb,a7,78,e6,12,2f,9a,ea,3f,df,ae,15,9b,5e,2c,dd,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,2a,f6,73,f8,ae, 45,7a,45,01,3a,48,fc,e8,04,4a,f1,55,c3,fb,1d,17,fb,e4,c4,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,3e,75,de,9a,93, 1d,e8,ee,f6,0f,4e,58,98,5b,89,c9,5d,85,a9,97,8d,ca,0e,c0,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,fa,70,62,f2,97, f9,d2,6d,3d,ce,ea,26,2d,45,aa,78,87,58,57,dd,94,e2,c6,c5,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,9c,f7,fd,1a,43, b7,65,c6,2a,b7,cc,b5,b9,7f,41,e7,08,18,cd,55,fb,eb,aa,d0,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,da,29,e7,36,a5, e6,fc,fb,6c,43,2d,1e,aa,22,2f,9c,7a,6f,8c,1b,fa,b3,ad,cc,6c,43,2d,1e,aa,22,\ . Completion time: 2009-07-11 22:12 ComboFix-quarantined-files.txt 2009-07-11 03:11 ComboFix2.txt 2009-07-10 03:30 Pre-Run: 49,691,840,512 bytes free Post-Run: 49,676,271,616 bytes free 336 --- E O F --- 2009-06-11 06:04 Upload was successful ____________________________________ Here is the ESET Scan log. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018) # OnlineScanner.ocx=1.0.0.5886 # api_version=3.0.2 # EOSSerial=1b4a9c4195d5bc42882a9a0034a17dd5 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-07-11 06:16:03 # local_time=2009-07-11 01:16:03 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 2 # compatibility_mode=1026 37 83 100 4068133437500 # compatibility_mode=3586 61 80 60 173878732968750 # scanned=125174 # found=10 # cleaned=0 # scan_time=8626 C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-63df74c9.zip probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I C:\Documents and Settings\Administrator\Desktop\All Pictures\Install Files\NORTON 2005\NORTON 2005 - SystemWorks + Internet Security + Ghost 9.0 + GoBack + ALL KEYGENS\NORTON KEY-GENERATORS\KeyGens Norton 2004\NSW 2004 Pro - Keygen TMG.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I C:\Documents and Settings\Administrator\Desktop\All Pictures\Install Files\NORTON 2005\NORTON 2005 - SystemWorks + Internet Security + Ghost 9.0 + GoBack + ALL KEYGENS\NORTON KEY-GENERATORS\KeyGens Norton 2005\NAV 2005 - Keygen TMG.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I C:\Documents and Settings\Administrator\Desktop\Vegas Studio 9.0\SVM Studio 9.0a Build 85\Patch\patch.exe a variant of Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I C:\Documents and Settings\Administrator\My Documents\Temporary ****\winrar.winzip.nfo.viewer.zip a variant of Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I C:\Documents and Settings\Administrator\My Documents\Temporary ****\winrar.winzip.nfo.viewer\!files\Rarlab.WinRAR.v3.61.Incl.DOSRAR.Cracked-F4CG\crack\Patch.exe a variant of Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I C:\System Volume Information\_restore{67F7E72A-22AE-49A3-859D-261F84EDEB2C}\RP1\A0000158.dll a variant of Win32/Rootkit.Agent.NIZ trojan 00000000000000000000000000000000 I I:\alright kinnie starr [256k quality].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I Z:\Install Files\SoundForgeInstall\Soundforge key.zip probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I Z:\Install Files\SoundForgeInstall\KEYGEN\SONYkeygen.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I ____________________________________ I noticed an immediate difference after the first run of Combofix. I actually thought it was fixed, until I saw the results from these scans. I have had this computer in my office, since my son brought the problem to me. The first run of Combofix appeared to have solved everything. If not for the advice of everyone here at this site, I would have stopped there. THANK YOU!!!!!  I look forward to my next instructions!!!!! BTW....would you happen to have a TeenagerFix.exe program that I can run on my son?? LMAO
|
|
|
|
|
07-11-2009, 08:30 AM
|
#6 (permalink) | ||||
|
Analyst, Security Team
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint
|
Re: BackDoor.Generic11.ZNE infection. PLEASE help!?
hi.
Quote:
Cracked (Illegal) Software. Quote:
 . Cracks/Keygens are rampant nowadays.Quote:
Quote:
I think you can come up with something. ------------------------------------------------------------------------ Some of your installed programs might be crack programs in reference with the ESET result. I suggest you uninstalled them if you are not sure where they came from. They might cause more problems later. Please uninstall the following. Using windows ADD/REMOVE program at the control panel. Winrar Vegas Movie Studio Platinum 9.0 Sony Sound Forge 8.0d ------------------------------------------------------------------------- Lets remove all Norton Remnants in your system. Download the tool and save it in your desktop. Double-click it to run. Follow the prompts ftp://ftp.symantec.com/public/englis...moval_Tool.exe ------------------------------------------------------------------------- Open Notepad and copy/paste the contents in the code box below, into Notepad. Code:
@echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-63df74c9.zip" "C:\Documents and Settings\Administrator\Desktop\All Pictures\Install Files\NORTON 2005\NORTON 2005 - SystemWorks + Internet Security + Ghost 9.0 + GoBack + ALL KEYGENS\NORTON KEY-GENERATORS\KeyGens Norton 2004\NSW 2004 Pro - Keygen TMG.exe" "C:\Documents and Settings\Administrator\Desktop\All Pictures\Install Files\NORTON 2005\NORTON 2005 - SystemWorks + Internet Security + Ghost 9.0 + GoBack + ALL KEYGENS\NORTON KEY-GENERATORS\KeyGens Norton 2005\NAV 2005 - Keygen TMG.exe" "C:\Documents and Settings\Administrator\Desktop\Vegas Studio 9.0\SVM Studio 9.0a Build 85\Patch\patch.exe" "I:\alright kinnie starr [256k quality].mp3" "Z:\Install Files\SoundForgeInstall\Soundforge key.zip" "Z:\Install Files\SoundForgeInstall\KEYGEN\SONYkeygen.exe" ) do ( del /a/f/q %%g if exist %%g echo.%%g >>"%temp%\log.txt" )>nul 2>&1 for %%g in ( "c:\program files\Norton AntiVirus" "c:\documents and settings\Administrator\Application Data\DNA" "c:\program files\DNA" "c:\documents and settings\Administrator\Application Data\BitTorrent" "c:\program files\BitTorrent" "c:\documents and settings\Administrator\Application Data\Symantec" "c:\documents and settings\All Users\Application Data\Symantec" "c:\program files\Common Files\Symantec Shared" "c:\program files\Norton SystemWorks" ) do ( attrib -s -h -r %%g rd /s/q %%g if exist %%g echo.%%g >>"%temp%\log.txt" )>nul 2>&1 if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" ) else echo.Deleted Successfully! echo. pause del %0 It should look like this:  Double-click deleteme.bat to run it. Tell me what it says in your next reply. ------------------------------------------------------------------------ Disable any script blocker then double click dds.scr to run the tool.
------------------------------------------------------------------------- In your reply, please post DDS.txt Attch.txt <--attached Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe. If I have been helping you and do not reply within 24 hours, please send me a message.
|
||||
|
|
|
|
07-13-2009, 06:47 AM
|
#7 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 4
OS: XP SP2
|
Re: BackDoor.Generic11.ZNE infection. PLEASE help!?
Sorry for the delay. It was a Longgggg weekend here!
 First of all.....I ran DeleteMe.bat twice. Because.....when I run it, it pops up a window that says, "Deleted Successfully! Press any key to continue....." Then, when I press a key, the command prompt window closes, and the DeleteMe.bat file disappears. I wasn't sure if it was supposed to produce a log file or not.....that's why I ran it twice. I ran the Norton removal tool. It appears to have worked. My son uses the other two programs (Vegas Movie Studio & Sony Sound Forge) for one of his college courses. Soooo....until I can get him a pair comparable programs, I'll just settle for deleting the key generators. I'm in contact with a couple of people at his school, trying to work on that now. BTW....I also questioned one of his professors, about whether or not she was aware that some of her students feel like they need to use pirated software, to complete her course. She seemed like this was a very interesting matter, that she was totally unaware of. She thanked me several times, for bringing it to her attention. And she said she was going to consult with other people in the administration (in the IT department), to explore the possibility of purchasing a school license for those two programs, or maybe even equivalent programs. I told her, I thought that was a good idea....but one that I was a little disappointed, that it hadn't been considered sooner. Anywayyyyy...... I am attaching the Attach.zip file And here is the DDS.txt log: ____________________________ DDS (Ver_09-06-26.01) - NTFSx86 Run by Administrator at 7:18:27.35 on Mon 07/13/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1157 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\CACHEM~1\CachemanXP.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Lexmark 2300 Series\lxcgmon.exe C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\lxcgcoms.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Palm\Hotsync.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator\My Documents\Temporary ****\dds(3).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.myspace.com/ BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File EB: {0483894e-2422-45e0-8384-021aff1af3cd} - iOpus Internet Macros EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe" uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRunOnce: [<NO NAME>] c:\program files\internet explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/ser...00025.000000d2 mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe" mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe" mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16 mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe uPolicies-explorer: NoViewOnDrive = 0 (0x0) uPolicies-explorer: NoStartMenuSubFolders = 0 (0x0) uPolicies-explorer: NoCommonGroups = 0 (0x0) uPolicies-explorer: NoPrinters = 0 (0x0) uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0) uPolicies-explorer: NoChangeAnimation = 0 (0x0) uPolicies-explorer: NoSMBalloonTip = 0 (0x0) uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.23.0\gears.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\jxe8cuee.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q= FF - prefs.js: browser.search.selectedEngine - Fast Browser Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=4&tid={C2717B08-3BC9-6B16-FC26-88235BDBBAC3}&q= FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\google\google gears\firefox\components\gears.dll FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-8 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-5 335752] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-5 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-5 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-5 298776] R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-9-24 3744] R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2007-11-12 245248] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456] R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-9-24 3904] S2 gupdate1c9d05a106e771e;Google Update Service (gupdate1c9d05a106e771e);c:\program files\google\update\GoogleUpdate.exe [2009-5-8 133104] =============== Created Last 30 ================ 2009-07-12 00:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller 2009-07-10 22:47 <DIR> --d----- c:\program files\ESET 2009-07-09 22:27 <DIR> -cd----- c:\windows\system32\dllcache\cache 2009-07-09 21:52 <DIR> a-dshr-- C:\cmdcons 2009-07-09 21:47 161,792 a------- c:\windows\SWREG.exe 2009-07-09 21:47 155,136 a------- c:\windows\PEV.exe 2009-07-09 21:47 98,816 a------- c:\windows\sed.exe 2009-07-08 16:43 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-07-05 22:22 <DIR> --d-h--- C:\$AVG8.VAULT$ 2009-07-05 22:01 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-07-05 22:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-07-05 22:01 335,752 a------- c:\windows\system32\drivers\avgldx86.sys 2009-07-05 22:01 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-07-05 22:01 <DIR> --d----- c:\program files\AVG 2009-07-05 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8 2009-06-30 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\16995154 2009-06-28 08:08 <DIR> --d----- c:\program files\Yahoo! 2009-06-26 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-06-26 17:16 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-06-26 17:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com 2009-06-26 14:24 <DIR> --d----- c:\program files\common files\iS3 2009-06-26 14:24 <DIR> --d----- c:\program files\STOPzilla! 2009-06-26 14:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZILLAbar 2009-06-26 14:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla! 2009-06-26 14:04 <DIR> --d----- c:\program files\DAMN NFO Viewer 2009-06-21 00:34 15,688 a------- c:\windows\system32\lsdelete.exe 2009-06-19 17:03 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-06-19 12:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\cft 2009-06-19 12:48 <DIR> --d----- c:\docume~1\admini~1\applic~1\pridl 2009-06-19 12:05 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL 2009-06-19 12:02 <DIR> --d----- c:\windows\Replay Media Catcher 2009-06-19 11:52 <DIR> --d----- c:\program files\IObit 2009-06-19 11:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\IObit ==================== Find3M ==================== 2009-06-19 17:08 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll 2009-05-05 10:41 262,144 a------- c:\windows\system32\wrap_oal.dll 2009-05-05 10:41 86,016 a------- c:\windows\system32\OpenAL32.dll 2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll 2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll 2009-04-17 04:58 1,846,656 a------- c:\windows\system32\win32k.sys 2009-04-15 10:11 584,192 a------- c:\windows\system32\rpcrt4.dll 2008-08-18 10:43 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2008-08-18 10:43 88 ---shr-- c:\docume~1\alluse~1\applic~1\7BCEEA7522.sys 2007-01-21 12:48 49,024 ac------ c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT 2006-09-03 12:18 22,768 ac------ c:\documents and settings\administrator\usbsermpt.sys 2006-09-03 12:18 25,600 a------- c:\documents and settings\administrator\usbsermptxp.sys 2007-03-09 02:12 27,648 ac-sh--- c:\windows\system32\AVSredirect.dll 2008-03-01 14:07 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 7:20:34.06 =============== |
|
|
|
|
07-13-2009, 10:29 AM
|
#8 (permalink) | |||
|
Analyst, Security Team
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint
|
Re: BackDoor.Generic11.ZNE infection. PLEASE help!?
hi.
Quote:
Quote:
Quote:
And tried to change things. I already cleaned a couple of user that are infected because of keygen. Well, you know what is the result if they use those things. Just spread the word, atleast we contributed something to change the world =)Before anything else, let's uninstall the messenger of keygens... Please uninstall the following. Using windows ADD/REMOVE program at the control panel. Bittorent This program is used to download keygens and cracks. Congratulations! You now appear clean!  We Need to Clean Up Our Mess
Recommendations Below are some recommendations to lower your chances of (re)infection.
Please respond to this thread one more time so we can mark this thread as resolved. Maraming salamat. Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe. If I have been helping you and do not reply within 24 hours, please send me a message.
|
|||
|
|
|
|
07-17-2009, 05:10 AM
|
#9 (permalink) |
|
Analyst, Security Team
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint
|
Re: BackDoor.Generic11.ZNE infection. PLEASE help!?
hi.
It is a pleasure to help you. Surf safely. Since the problem appears to be resolved, it will now be archived. Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe. If I have been helping you and do not reply within 24 hours, please send me a message.
|
|
|
|
| Thread Tools | |
|
|
