?
Solved

hijackthis

Posted on 2009-02-20
11
Medium Priority
?
930 Views
Last Modified: 2013-12-06
hi experts,
can you help me analyze this logfile do i have any threat?
thanks.
0
Comment
Question by:alan2153
  • 5
  • 3
  • 2
  • +1
11 Comments
 

Author Comment

by:alan2153
ID: 23694647
this is the log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:31 AM, on 2/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Spiceworks\bin\spicetray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spiceworks\bin\spiceworks.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070122
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070122
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Spiceworks] C:\Program Files\Spiceworks\bin\spicetray_silent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientCheck/CM_AdvancedCAB.CAB
O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/printtemplateviewer.cab
O16 - DPF: ReyScanCab - https://www.gs.reyrey.com/clientdll/ReyScan.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1DCB41E4-22EA-44A6-BEC0-D54969EFBED9} (Image Uploader Control) - https://dealers.autotrader.com/dc/media/inc/ImageUploader5.cab
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233168849444
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233168753110
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://apps.vinmanager.com/CarDashboard/arview2.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bt.Local
O17 - HKLM\Software\..\Telephony: DomainName = Bt.Local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = beavertoyota.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{14708A78-3574-408A-BB83-CA21AD003CBE}: NameServer = 10.3.55.100,207.108.240.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Bt.Local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = beavertoyota.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{14708A78-3574-408A-BB83-CA21AD003CBE}: NameServer = 10.3.55.100,207.108.240.1
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = Bt.Local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = Bt.Local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: __c005C7F4 - C:\WINDOWS\system32\__c005C7F4.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
--
End of file - 10594 bytes

Open in new window

0
 
LVL 6

Expert Comment

by:guydemarco
ID: 23694655
Paste your log file into:

http://www.hijackthis.de/

and have it analyzed for free, with some good infoemation from users and the admins.
0
 
LVL 6

Expert Comment

by:guydemarco
ID: 23694683
I ran it through, no particular nasty items. Some items to look are the ActiveX and a couple of programs (like FlipShare).
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:alan2153
ID: 23695882
every time i open a new internet page like msn.com it opens a random pages also so do i have any threat li virus or spyware ?
0
 
LVL 3

Expert Comment

by:Logos077
ID: 23695976
I would have to agree with "guydemarco" nothing jumps out. maybe "viepoint"
I have ran into problems where hijack this did not catch the problem. When I run into this, I have run another antivirus or spyware remover. other than the ones I have installed.
0
 
LVL 6

Expert Comment

by:guydemarco
ID: 23696787
I would suggest running two free malware programs -- 'malwarebytes' and 'spybot search and destroy'.

Both are available at www.download.com, run by CNet.
0
 
LVL 2

Accepted Solution

by:
Dooflegna earned 2000 total points
ID: 23697646
O20 - Winlogon Notify: __c005C7F4 - C:\WINDOWS\system32\__c005C7F4.dat

I really don't like this entry.  It's possible that it's related to your symantec endpoint, but generally things in Winlogon Notify should be obviously named.  It's a very powerful section.

Having msn.com redirect you is evidence of some level of infection.
0
 

Author Comment

by:alan2153
ID: 23698589
"Dooflegna" you were rigth that was a trojan, i update AVG antivirus and did again full scan and detect winlogon as virus spyware and the c005cff4.dat for some reason symantec won't detected the vieus but AVG didi and got rid of but was late this is my work computer so i'll reply tomorow when i'll go to work again and see if stiil infected thanks
0
 

Author Comment

by:alan2153
ID: 23714252
ok i'm back i have ran combofix and malwarebytes' anti-malware an here are the log files
Malwarebytes' Anti-Malware 1.34
Database version: 1787
Windows 5.1.2600 Service Pack 2
 
2/23/2009 9:19:35 AM
mbam-log-2009-02-23 (09-19-35).txt
 
Scan type: Full Scan (C:\|)
Objects scanned: 247812
Time elapsed: 40 minute(s), 3 second(s)
 
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1
 
Memory Processes Infected:
(No malicious items detected)
 
Memory Modules Infected:
(No malicious items detected)
 
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c005c7f4 (Trojan.Vundo) -> Quarantined and deleted successfully.
 
Registry Values Infected:
(No malicious items detected)
 
Registry Data Items Infected:
(No malicious items detected)
 
Folders Infected:
C:\Documents and Settings\brandong.BEAVERTOYOTA\Application Data\NetPumper (Adware.NetPumper) -> Quarantined and deleted successfully.
 
Files Infected:
C:\Documents and Settings\brandong.BEAVERTOYOTA\Application Data\NetPumper\brandong.ini (Adware.NetPumper) -> Quarantined and deleted successfully.

Open in new window

0
 

Author Comment

by:alan2153
ID: 23714261

ComboFix 09-02-21.01 - manuelm 2009-02-23 11:25:52.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1534.827 [GMT -7:00]
Running from: c:\documents and settings\manuelm\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
 * Created a new restore point
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\documents and settings\Administrator\Application Data\.#
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\manuelm\Application Data\.#
c:\documents and settings\manuelm\Application Data\.#\MBX@C68@C439C0.###
c:\documents and settings\manuelm\Application Data\.#\MBX@C68@C439D0.###
c:\windows\jestertb.dll
c:\windows\system32\prsgrc.dll
C:\xcrashdump.dat
 
----- BITS: Possible infected sites -----
 
hxxp://btserver-dc1
.
(((((((((((((((((((((((((   Files Created from 2009-01-23 to 2009-02-23  )))))))))))))))))))))))))))))))
.
 
2009-02-23 11:12 . 2009-02-23 11:12	<DIR>	d--------	C:\sUBs
2009-02-21 13:55 . 2009-02-21 13:55	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-02-21 13:55 . 2009-02-21 13:55	<DIR>	d--------	c:\documents and settings\manuelm\Application Data\Malwarebytes
2009-02-21 13:55 . 2009-02-21 13:55	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 13:55 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 13:55 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-02-20 17:51 . 2009-02-23 08:22	<DIR>	d--------	c:\program files\LogMeIn
2009-02-20 17:51 . 2008-10-16 20:35	87,352	--a------	c:\windows\system32\LMIinit.dll
2009-02-20 17:51 . 2008-10-16 20:35	83,288	--a------	c:\windows\system32\LMIRfsClientNP.dll
2009-02-20 17:51 . 2008-07-24 18:46	47,640	--a------	c:\windows\system32\drivers\LMIRfsDriver.sys
2009-02-20 17:51 . 2008-10-16 20:35	28,984	--a------	c:\windows\system32\LMIport.dll
2009-02-20 17:51 . 2009-02-20 17:51	1,024	--a------	C:\.rnd
2009-02-20 16:22 . 2009-02-23 08:30	<DIR>	d--------	c:\program files\Recovery for Word
2009-02-20 09:22 . 2009-02-21 16:26	<DIR>	d--h-----	C:\$AVG8.VAULT$
2009-02-20 08:39 . 2009-02-23 04:48	<DIR>	d--------	c:\windows\system32\drivers\Avg
2009-02-20 08:39 . 2009-02-20 08:39	<DIR>	d--------	c:\program files\AVG
2009-02-20 08:39 . 2009-02-23 11:10	<DIR>	d--------	c:\documents and settings\All Users\Application Data\avg8
2009-02-20 08:39 . 2009-02-20 11:00	325,128	--a------	c:\windows\system32\drivers\avgldx86.sys
2009-02-20 08:39 . 2009-02-20 11:00	107,272	--a------	c:\windows\system32\drivers\avgtdix.sys
2009-02-20 08:39 . 2009-02-20 11:00	12,552	--a------	c:\windows\system32\drivers\avgrkx86.sys
2009-02-20 08:39 . 2009-02-20 11:00	10,520	--a------	c:\windows\system32\avgrsstx.dll
2009-02-20 08:30 . 2009-02-23 08:27	<DIR>	d--------	c:\program files\EA GAMES
2009-02-04 08:13 . 2009-02-04 08:13	<DIR>	d--------	c:\documents and settings\manuelm\Application Data\CyberLink
2009-02-02 10:16 . 2009-02-02 10:16	<DIR>	d--------	c:\program files\Pure Digital Technologies
2009-02-02 10:16 . 2009-02-02 10:16	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Pure Digital Technologies
2009-01-29 13:52 . 2007-06-13 14:29	520,192	---------	c:\windows\system32\ati2sgag.exe
2009-01-29 13:51 . 2007-06-13 15:10	8,097,792	--a------	c:\windows\system32\atioglx2.dll
2009-01-29 13:51 . 2007-06-13 14:57	3,107,788	--a------	c:\windows\system32\ativvaxx.dat
2009-01-29 13:51 . 2007-06-13 14:57	3,107,788	--a------	c:\windows\system32\ativva5x.dat
2009-01-29 13:51 . 2007-06-13 14:57	972,072	--a------	c:\windows\system32\ativva6x.dat
2009-01-29 13:51 . 2007-06-13 15:25	339,968	--a------	c:\windows\system32\ATIDEMGX.dll
2009-01-29 13:51 . 2007-06-13 14:41	50,176	--a------	c:\windows\system32\atiok3x2.dll
2009-01-29 13:51 . 2007-05-03 13:52	11,557	--a------	c:\windows\atiogl.xml
2009-01-29 13:51 . 2007-04-18 08:19	2,096	--a------	c:\windows\system32\drivers\ativdkxx.vp
2009-01-29 08:22 . 2009-02-20 08:34	<DIR>	d--------	c:\documents and settings\manuelm\Application Data\Uniblue
2009-01-29 08:22 . 2009-02-20 08:34	<DIR>	d--------	c:\documents and settings\All Users\Application Data\DriverScanner
2009-01-28 11:53 . 2008-10-16 14:07	23,576	--a------	c:\windows\system32\wuapi.dll.mui
2009-01-28 09:27 . 2009-01-28 09:27	<DIR>	d--------	c:\windows\system32\Dell
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 15:32	---------	d-----w	c:\program files\Viewpoint
2009-02-23 15:32	---------	d-----w	c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-23 15:29	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-02-23 15:29	---------	d-----w	c:\program files\CyberLink
2009-02-20 23:40	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-20 23:37	---------	d-----w	c:\program files\MSECache
2009-02-20 17:00	---------	d-----w	c:\program files\Nero 7 Ultra Edition Enhanced XP & Vista + Keygen [ScottayB]
2009-02-20 15:33	---------	d-----w	c:\program files\Network Probe 2
2009-02-19 23:47	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 20:42	---------	d-----w	c:\documents and settings\manuelm\Application Data\Apple Computer
2009-02-06 18:39	---------	d-----w	c:\documents and settings\manuelm\Application Data\dvdcss
2009-02-03 18:00	---------	d-----w	c:\program files\Common Files\Totem Shared
2009-01-29 20:52	---------	d-----w	c:\program files\ATI Technologies
2009-01-28 16:27	---------	d-----w	c:\program files\DELL
2009-01-24 00:43	---------	d-----w	c:\documents and settings\All Users\Application Data\SecTaskMan
2009-01-21 23:47	---------	d-----w	c:\program files\Common Files\Viewpoint
2009-01-17 00:37	---------	d-----w	c:\program files\Spiceworks
2009-01-15 16:49	---------	d-----w	c:\program files\CCleaner
2009-01-14 18:28	---------	d-----w	c:\documents and settings\manuelm\Application Data\TeamViewer
2009-01-14 15:27	---------	d-----w	c:\program files\TeamViewer
2009-01-02 17:52	---------	d-----w	c:\documents and settings\manuelm\Application Data\vlc
2009-01-02 17:51	---------	d-----w	c:\program files\VideoLAN
2008-12-29 22:42	---------	d-----w	c:\documents and settings\manuelm\Application Data\uTorrent
2008-12-29 22:03	---------	d-----w	c:\program files\Vertus Fluid Mask 3
2008-12-29 22:01	---------	d-----w	c:\documents and settings\All Users\Application Data\VertusTech
2008-11-19 16:03	61,224	----a-w	c:\documents and settings\manuelm\GoToAssistDownloadHelper.exe
2007-03-20 18:08	24,064	-c--a-w	c:\program files\Diskeeper Account Infor.doc
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"Uniblue RegistryBooster 2"="c:\photoshopcs2\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-08-16 1877272]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Spiceworks"="c:\program files\Spiceworks\bin\spicetray_silent.exe" [2009-01-16 66840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-20 1601304]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
 
c:\documents and settings\Brandong\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-20 11:00 10520 c:\windows\system32\avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^manuelm^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a--c--- 2006-01-02 16:41 45056 c:\program files\ATI Technologies\ATI.ACE\CLI.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-05-30 08:08 115560 c:\program files\Common Files\Symantec Shared\ccApp.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-12-19 11:28 1434864 c:\program files\CCleaner\CCleaner.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 17:05 200704 c:\poweriso\PWRISOVM.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-04 04:00 143360 c:\windows\system32\mobsync.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-08-16 09:02 1877272 c:\photoshopcs2\Uniblue\RegistryBooster 2\RegistryBooster.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
--a------ 2007-08-16 09:03 1269000 c:\photoshopcs2\Uniblue\SpyEraser\SpyEraser.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2007-05-07 18:28 589824 c:\program files\TightVNC\WinVNC.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Reynolds\\ERALink32\\wIntegSM.exe"=
"c:\\Program Files\\Spiceworks\\bin\\spiceworks.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
 
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-20 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-20 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-20 107272]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 65536]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-20 298264]
R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-02-20 47640]
R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2008-03-06 5365]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-30 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-05-30 23888]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\wdsync.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d52bf4d-f14a-11dd-aec6-0019b913384f}]
\Shell\AutoRun\command - F:\Setup_FlipShare.exe
\Shell\Setup FlipShare\command - F:\Setup_FlipShare.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd188cee-fd0d-11dd-aecc-0019b913384f}]
\Shell\AutoRun\command - E:\wdsync.exe
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-03 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\photoshopcs2\Uniblue\SpyEraser\SpyEraser.exe [2007-08-16 09:03]
.
- - - - ORPHANS REMOVED - - - -
 
SafeBoot-Symantec Antvirus
MSConfigStartUp-P3000x_S2P - c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
 
 
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: CM_AdvancedCAB - hxxps://www.gs.reyrey.com/common/ClientCheck/CM_AdvancedCAB.CAB
DPF: PrintTemplateViewerCab - hxxps://www.gs.reyrey.com/clientdll/printtemplateviewer.cab
DPF: ReyScanCab - hxxps://www.gs.reyrey.com/clientdll/ReyScan.cab
DPF: {1DCB41E4-22EA-44A6-BEC0-D54969EFBED9} - hxxps://dealers.autotrader.com/dc/media/inc/ImageUploader5.cab
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 11:28:26
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
 
- - - - - - - > 'lsass.exe'(808)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-02-23 11:29:41
ComboFix-quarantined-files.txt  2009-02-23 18:29:39
 
Pre-Run: 26,345,644,032 bytes free
Post-Run: 27,385,786,368 bytes free
 
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
237	--- E O F ---	2008-10-27 14:43:50

Open in new window

0
 
LVL 2

Expert Comment

by:Dooflegna
ID: 23752680
Your logs look clean to me.
- Are you having any other issues with your computer?
- Can you boot to normal mode?
- Connect to internet?
- Run Kaspersky Online Scanner.  See if it picks up anything.  It won't -remove- anything, but it'll detect any remnants and their locations and from there we can remove them.  http://www.kaspersky.com/virusscanner
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question