Options
win32 spy.ursnif.a help removal
I Use eset antivirus and for 2 days now ive been getting the pop up message saying I have a trojan named ursnif and it cant delete it(winlogon.exe) because its in use ive tried many programs. please help
0
Comments
Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include C:\ComboFix.txt for further review (copy and paste it), so that we may continue cleansing the system.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.464 [GMT -4:00]
Running from: c:\documents and settings\exclusive\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\exclusive\Application Data\IUpd721
c:\documents and settings\exclusive\Application Data\IUpd721\Logs\scns.log
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\windows\patch.exe
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cookie1.dat
c:\windows\system32\dim
c:\windows\system32\drivers\fad.sys
c:\windows\system32\gp2
c:\windows\system32\ID2
c:\windows\system32\tb.dr
c:\windows\system32\tmp.reg
I:\resycled
c:\windows\SYSTEM32\winlogon.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_FAD
\Legacy_OREANS32
\Legacy_TDSSSERV.SYS
\Legacy_WINDOWS_AUDIO_(AUDIOSRV)_
\Service_oreans32
\Service_Windows Audio (AudioSrv)
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.
2009-06-26 05:57 . 2009-06-26 05:57
d
w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-26 02:29 . 2009-06-26 02:29
d
w- c:\program files\AVG
2009-06-26 01:31 . 2009-04-01 04:47 2929528 ----a-w- c:\documents and settings\exclusive\Application Data\Simply Super Software\Trojan Remover\ktg2F.exe
2009-06-25 01:46 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-06-25 01:46 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-06-25 01:46 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-06-25 01:46 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-06-25 01:46 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-06-25 01:45 . 2009-06-25 01:49
d
w- c:\program files\Trojan Remover
2009-06-25 00:57 . 2009-06-25 00:57 2 --shatr- c:\windows\winstart.bat
2009-06-25 00:56 . 2009-06-25 01:03
d
w- c:\program files\UnHackMe
2009-06-25 00:42 . 2009-06-25 00:42
d
w- c:\program files\Trend Micro
2009-06-25 00:09 . 2009-06-25 00:09
d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-24 23:27 . 2009-06-24 23:27
d
w- c:\windows\system32\wbem\Repository
2009-06-24 23:26 . 2009-06-24 23:26
d
w- c:\program files\CCleaner
2009-06-24 22:58 . 2009-06-24 23:26
d
w- c:\program files\Trojan Remover(2)
2009-06-24 22:43 . 2009-06-24 22:43
d
w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-06-18 12:30 . 2009-06-18 12:30
d
w- c:\program files\abgx360
2009-06-11 22:47 . 2009-06-11 22:47 29696 ----a-r- c:\documents and settings\exclusive\Application Data\Microsoft\Installer\{312255E7-E2C2-4F3E-BBCB-02C5B8696CCB}\IconF0CEFCC9.exe
2009-06-11 16:55 . 2009-06-11 16:55 152576 ----a-w- c:\documents and settings\exclusive\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 23:27 . 2009-04-30 21:22 12800
w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 23:27 . 2009-04-30 21:22 246272
w- c:\windows\system32\dllcache\ieproxy.dll
2009-05-29 17:56 . 2009-05-29 17:56
d-sh--w- c:\documents and settings\exclusive\IECompatCache
2009-05-29 17:54 . 2009-05-29 17:54
d-sh--w- c:\documents and settings\exclusive\PrivacIE
2009-05-29 17:48 . 2009-05-29 17:48
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-29 17:45 . 2009-05-29 17:45
d-sh--w- c:\documents and settings\exclusive\IETldCache
2009-05-29 07:27 . 2009-06-10 07:06
d
w- c:\windows\ie8updates
2009-05-29 07:21 . 2009-05-29 07:25
dc-h--w- c:\windows\ie8
2009-05-29 07:18 . 2009-05-12 05:11 102912
w- c:\windows\system32\dllcache\iecompat.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 19:03 . 2004-11-08 19:03
d
w- c:\documents and settings\exclusive\Application Data\Azureus
2009-06-25 05:46 . 2008-12-23 01:10
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 05:46 . 2009-04-06 05:45 3561743 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-24 23:26 . 2008-11-25 04:41
d
w- c:\documents and settings\exclusive\Application Data\Simply Super Software
2009-06-24 23:19 . 2007-01-05 20:52
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 15:27 . 2008-12-23 01:10 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-12-23 01:10 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 18:57 . 2009-05-18 01:25
d
w- c:\documents and settings\exclusive\Application Data\uTorrent
2009-06-11 22:46 . 2009-04-30 17:41
d
w- c:\program files\Verizon
2009-06-11 17:08 . 2004-02-11 01:57
d
w- c:\program files\Java
2009-06-08 00:27 . 2009-05-15 00:37
d
w- c:\program files\Pando Networks
2009-06-02 19:45 . 2008-10-31 18:42
d
w- c:\program files\Football Superstars
2009-06-01 20:01 . 2009-05-23 03:36
d
w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2009-05-23 03:18 . 2009-05-23 03:18
d
w- c:\documents and settings\exclusive\Application Data\Lexmark Productivity Studio
2009-05-21 15:33 . 2008-12-14 19:40 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-05-18 01:25 . 2009-05-18 01:25
d
w- c:\program files\uTorrent
2009-05-16 02:02 . 2009-05-16 02:02
d
w- c:\documents and settings\exclusive\Application Data\6500 Series
2009-05-15 01:07 . 2004-02-11 02:05
d--h--w- c:\program files\InstallShield Installation Information
2009-05-14 00:52 . 2009-05-14 00:48
d
w- c:\program files\Lexmark 6500 Series
2009-05-14 00:51 . 2009-05-14 00:51
d
w- c:\documents and settings\All Users\Application Data\6500 Series
2009-05-14 00:51 . 2009-05-14 00:50
d
w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-05-13 05:15 . 2004-02-06 22:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 20:34 . 2004-02-13 16:15 47888 -c--a-w- c:\documents and settings\exclusive\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 02:48 . 2006-11-19 08:51
d
w- c:\documents and settings\exclusive\Application Data\dvdcss
2009-05-12 02:27 . 2009-05-12 02:27
d
w- c:\documents and settings\exclusive\Application Data\AVS4YOU
2009-05-12 02:27 . 2009-05-12 02:27
d
w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-05-12 02:26 . 2009-05-12 02:26
d
w- c:\program files\AVS4YOU
2009-05-12 02:26 . 2009-05-12 02:26
d
w- c:\program files\Common Files\AVSMedia
2009-05-12 02:26 . 2004-11-03 23:52
d
w- c:\program files\AV VCS 3.0 GOLD
2009-05-11 01:17 . 2007-06-02 00:14
d
w- c:\program files\UniBall
2009-05-07 15:32 . 2002-08-29 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 07:33 . 2004-11-08 19:02
d
w- c:\program files\Azureus
2009-05-03 07:19 . 2004-11-02 16:25
d
w- c:\program files\Common Files\Blizzard Entertainment
2009-04-30 22:29 . 2009-04-30 22:19
d
w- c:\documents and settings\All Users\Application Data\Motive
2009-04-30 22:22 . 2009-04-30 22:22
d
w- c:\documents and settings\exclusive\Application Data\Verizon
2009-04-30 22:22 . 2009-04-30 22:22
d
w- c:\documents and settings\All Users\Application Data\Verizon
2009-04-30 22:21 . 2009-04-30 22:21
d
w- c:\documents and settings\exclusive\Application Data\Motive
2009-04-30 22:21 . 2009-04-30 22:19
d
w- c:\program files\Common Files\Motive
2009-04-18 17:33 . 2004-11-13 23:24 13544 -c--a-w- c:\documents and settings\exclusive\Application Data\wklnhst.dat
2009-04-17 12:26 . 2002-08-29 11:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-15 20:10 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-04 02:39 . 2009-04-04 02:39 152576 -c--a-w- c:\documents and settings\exclusive\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2008-02-24 23:52 . 2008-02-24 23:52 48 -csh--w- c:\windows\S4A724F7F.tmp
2006-03-22 07:44 . 2006-03-22 07:44 56 -csh--r- c:\windows\SYSTEM32\171918B8BD.sys
2007-06-06 19:23 . 2007-06-06 19:23 5 -csha-w- c:\windows\SYSTEM32\facffaeade_s.dll
.
Sigcheck
[-] 2008-11-28 19:53 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\SYSTEM32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 16:41 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-10-15 06:04 . 2008-10-15 06:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
2004-02-11 02:09 . 2004-02-11 02:09 151597 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
2004-12-13 20:30 . 2007-01-09 22:32 58984 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-10-13 22:55 . 2007-03-05 17:57 1103480 c:\program files\IGN\Download Manager\bak\DLM.exe
2007-03-05 21:57 . 2007-03-05 21:57 1103480 c:\program files\IGN\Download Manager\DLM.exe
2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-01-06 18:06 . 2009-01-06 18:06 290088 c:\program files\iTunes\iTunesHelper.exe
2007-06-18 18:31 . 2007-02-06 16:37 147456 c:\program files\PayPal\PayPal Virtual Debit Card\bak\PayPalVDC.exe
2006-10-27 09:43 . 2006-10-27 09:43 1495111 c:\program files\PPMate\PPMate\bak\ppmate.exe
2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-01-05 21:18 . 2009-01-05 21:18 413696 c:\program files\QuickTime\QTTask.exe
2007-02-21 02:56 . 2007-05-05 23:17 100056 c:\program files\SymNetDrv\bak\SNDMon.exe
2006-10-19 01:05 . 2006-10-19 01:05 204288 c:\program files\Windows Media Player\bak\WMPNSCFG.exe
2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe
2004-02-14 21:16 . 2005-01-23 15:31 126976 c:\windows\SYSTEM32\bak\hkcmd.exe
2005-10-19 12:59 . 2005-10-19 12:59 126976 c:\windows\SYSTEM32\hkcmd.exe
2004-02-14 21:16 . 2005-01-23 15:36 155648 c:\windows\SYSTEM32\bak\igfxtray.exe
2005-10-19 12:59 . 2005-10-19 12:59 155648 c:\windows\SYSTEM32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-02-13 2303216]
"lxdfmon.exe"="c:\program files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-10-07 1630208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Messenger
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTaskbar
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LexBceS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Steam\\SteamApps\\stayfly788@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\exclusive\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\exclusive\\Desktop\\mirc\\mirc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\SYSTEM32\\p3xsvr.exe"=
"c:\\Program Files\\Football Superstars\\FSPatchR.exe"=
"c:\\Program Files\\Football Superstars\\FSClientr.exe"=
"c:\\WINDOWS\\SYSTEM32\\ntvdm.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"i:\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\worldwide soccer manager 2009\\wsm.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxdfcoms.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxdfcfg.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdfpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdftime.exe"=
"i:\\Downloads\\aceonline\\Res-VoIP\\SCVoIP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\exclusive\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdfjswx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:yo
"41952:TCP"= 41952:TCP:tv
"20:TCP"= 20:TCP:hey
"21:TCP"= 21:TCP:free
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [2/6/2009 2:23 PM 106208]
R1 epfwtdir;epfwtdir;c:\windows\SYSTEM32\DRIVERS\epfwtdir.sys [2/6/2009 2:24 PM 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 2:23 PM 727720]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 11:28 AM 204800]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service --> c:\windows\system32\lxdfcoms.exe -service [?]
R2 PStrip;PStrip;c:\windows\SYSTEM32\DRIVERS\PStrip.sys [11/9/2004 6:32 PM 21968]
R2 Vcs;Vcs support;c:\windows\SYSTEM32\DRIVERS\Vcs.sys [11/3/2004 7:51 PM 6852]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 5:52 AM 106496]
S0 pndqyukd;pndqyukd;c:\windows\system32\drivers\wumhbru.sys --> c:\windows\system32\drivers\wumhbru.sys [?]
S1 pctfw22;pctfw22;c:\windows\system32\drivers\pctfw22.sys --> c:\windows\system32\drivers\pctfw22.sys [?]
S2 .EsetTrialReset;Eset Trial Reset;c:\windows\SYSTEM32\REGEDT32.EXE [8/29/2002 7:00 AM 3584]
S2 LexBce Server (LexBceS) ;LexBce Server (LexBceS) ; [x]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdfserv.exe [5/13/2009 8:52 PM 99248]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - hxxp://www.mtv.com/overdrive/bin/setup.exe
FF - ProfilePath - c:\documents and settings\exclusive\Application Data\Mozilla\Firefox\Profiles\kk0bwo24.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\exclusive\Application Data\Mozilla\Firefox\Profiles\kk0bwo24.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\exclusive\Application Data\Mozilla\Firefox\Profiles\kk0bwo24.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - HiddenExtension: Sotfone Tracker: No Registry Reference - c:\program files\Mozilla Firefox\extensions\sotfone-tracker@sotfone.ru
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 01:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3461783486-2324116790-2309476532-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5f,7b,f8,54,91,cf,ed,0b,68,d2,94,48,a7,cd,4c,68,02,f8,94,79,74,8c,22,
8d,66,ac,05,df,5d,4a,f2,0a,36,b5,40,16,9d,35,66,0f,46,f0,3a,3e,a7,95,0e,7d,\
"??"=hex:1f,16,3d,94,5b,12,78,97,7a,7e,19,46,f0,cd,53,5e
[HKEY_USERS\S-1-5-21-3461783486-2324116790-2309476532-1007\Software\SecuROM\License information*]
"datasecu"=hex:b4,ec,ec,2d,7c,61,9f,ba,1a,2b,20,4e,d4,a6,47,39,fb,a1,f0,04,48,
ff,9c,c5,d1,51,bf,13,95,c4,e7,a5,8d,f2,de,00,86,d4,f5,4b,63,52,cb,86,35,c1,\
"rkeysecu"=hex:e3,00,e9,1f,9c,f8,dc,f4,52,74,cc,36,94,d9,5d,8c
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{216eceeb-0f68-482b-83e5-e0a474c460ec}]
@Denied: (Full) (Everyone)
"Model"=dword:00000001
"Therad"=dword:0000000d
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ea,b5,ff,ea,66,79,ab,55,89,a1,67,0f,eb,17,79,36,c2,ea,e0,80,a0,
45,73,5c,99,70,36,a3,13,3b,c3,3f,7c,4e,ad,3c,12,f1,98,ae,00,00,00,00,00,00,\
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\WININET.dll
.
Other Running Processes
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\imapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\rundll32.exe
c:\windows\SYSTEM32\lxdfcoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\locator.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\SYSTEM32\java.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-27 2:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 06:00
Pre-Run: 17,961,345,024 bytes free
Post-Run: 18,020,966,400 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
346 --- E O F --- 2009-06-12 07:03
First, please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
c:\windows\winstart.bat
Then click Submit. Allow the file to be scanned, and then please Copy/Paste the results here later for me to see.
If Jotti is busy, please go to http://www.virustotal.com.
Now,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your next reply please, along with the VirusTotal results.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.
Do you have a Windows CD at hand?
The reason I requested for a Windows CD is because winlogon.exe has been infected and we'll need to replace this system file with a clean one.
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.528 [GMT -4:00]
Running from: c:\documents and settings\exclusive\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\exclusive\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
FILE ::
"c:\windows\S4A724F7F.tmp"
"c:\windows\SYSTEM32\171918B8BD.sys"
"c:\windows\system32\drivers\pctfw22.sys"
"c:\windows\system32\drivers\wumhbru.sys"
"c:\windows\SYSTEM32\facffaeade_s.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\S4A724F7F.tmp
c:\windows\SYSTEM32\171918B8BD.sys
c:\windows\SYSTEM32\facffaeade_s.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_pctfw22
\Service_pndqyukd
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.
2009-06-27 05:57 . 2009-06-27 05:57
d
w- c:\windows\system32\dllcache\cache
2009-06-26 05:57 . 2009-06-26 05:57
d
w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-26 02:29 . 2009-06-26 02:29
d
w- c:\program files\AVG
2009-06-26 01:31 . 2009-04-01 04:47 2929528 ----a-w- c:\documents and settings\exclusive\Application Data\Simply Super Software\Trojan Remover\ktg2F.exe
2009-06-25 01:46 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-06-25 01:46 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-06-25 01:46 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-06-25 01:46 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-06-25 01:46 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-06-25 01:45 . 2009-06-25 01:49
d
w- c:\program files\Trojan Remover
2009-06-25 00:57 . 2009-06-25 00:57 2 --shatr- c:\windows\winstart.bat
2009-06-25 00:56 . 2009-06-25 01:03
d
w- c:\program files\UnHackMe
2009-06-25 00:42 . 2009-06-25 00:42
d
w- c:\program files\Trend Micro
2009-06-25 00:09 . 2009-06-25 00:09
d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-24 23:27 . 2009-06-24 23:27
d
w- c:\windows\system32\wbem\Repository
2009-06-24 23:26 . 2009-06-24 23:26
d
w- c:\program files\CCleaner
2009-06-24 22:58 . 2009-06-24 23:26
d
w- c:\program files\Trojan Remover(2)
2009-06-24 22:43 . 2009-06-24 22:43
d
w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-06-18 12:30 . 2009-06-18 12:30
d
w- c:\program files\abgx360
2009-06-11 22:47 . 2009-06-11 22:47 29696 ----a-r- c:\documents and settings\exclusive\Application Data\Microsoft\Installer\{312255E7-E2C2-4F3E-BBCB-02C5B8696CCB}\IconF0CEFCC9.exe
2009-06-11 16:55 . 2009-06-11 16:55 152576 ----a-w- c:\documents and settings\exclusive\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 23:27 . 2009-04-30 21:22 12800
w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 23:27 . 2009-04-30 21:22 246272
w- c:\windows\system32\dllcache\ieproxy.dll
2009-05-29 17:56 . 2009-05-29 17:56
d-sh--w- c:\documents and settings\exclusive\IECompatCache
2009-05-29 17:54 . 2009-05-29 17:54
d-sh--w- c:\documents and settings\exclusive\PrivacIE
2009-05-29 17:48 . 2009-05-29 17:48
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-29 17:45 . 2009-05-29 17:45
d-sh--w- c:\documents and settings\exclusive\IETldCache
2009-05-29 07:27 . 2009-06-10 07:06
d
w- c:\windows\ie8updates
2009-05-29 07:21 . 2009-05-29 07:25
dc-h--w- c:\windows\ie8
2009-05-29 07:18 . 2009-05-12 05:11 102912
w- c:\windows\system32\dllcache\iecompat.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 19:03 . 2004-11-08 19:03
d
w- c:\documents and settings\exclusive\Application Data\Azureus
2009-06-25 05:46 . 2008-12-23 01:10
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 05:46 . 2009-04-06 05:45 3561743 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-24 23:26 . 2008-11-25 04:41
d
w- c:\documents and settings\exclusive\Application Data\Simply Super Software
2009-06-24 23:19 . 2007-01-05 20:52
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 15:27 . 2008-12-23 01:10 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-12-23 01:10 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 18:57 . 2009-05-18 01:25
d
w- c:\documents and settings\exclusive\Application Data\uTorrent
2009-06-11 22:46 . 2009-04-30 17:41
d
w- c:\program files\Verizon
2009-06-11 17:08 . 2004-02-11 01:57
d
w- c:\program files\Java
2009-06-08 00:27 . 2009-05-15 00:37
d
w- c:\program files\Pando Networks
2009-06-02 19:45 . 2008-10-31 18:42
d
w- c:\program files\Football Superstars
2009-06-01 20:01 . 2009-05-23 03:36
d
w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2009-05-23 03:18 . 2009-05-23 03:18
d
w- c:\documents and settings\exclusive\Application Data\Lexmark Productivity Studio
2009-05-21 15:33 . 2008-12-14 19:40 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-05-18 01:25 . 2009-05-18 01:25
d
w- c:\program files\uTorrent
2009-05-16 02:02 . 2009-05-16 02:02
d
w- c:\documents and settings\exclusive\Application Data\6500 Series
2009-05-15 01:07 . 2004-02-11 02:05
d--h--w- c:\program files\InstallShield Installation Information
2009-05-14 00:52 . 2009-05-14 00:48
d
w- c:\program files\Lexmark 6500 Series
2009-05-14 00:51 . 2009-05-14 00:51
d
w- c:\documents and settings\All Users\Application Data\6500 Series
2009-05-14 00:51 . 2009-05-14 00:50
d
w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-05-13 05:15 . 2004-02-06 22:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 20:34 . 2004-02-13 16:15 47888 -c--a-w- c:\documents and settings\exclusive\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 02:48 . 2006-11-19 08:51
d
w- c:\documents and settings\exclusive\Application Data\dvdcss
2009-05-12 02:27 . 2009-05-12 02:27
d
w- c:\documents and settings\exclusive\Application Data\AVS4YOU
2009-05-12 02:27 . 2009-05-12 02:27
d
w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-05-12 02:26 . 2009-05-12 02:26
d
w- c:\program files\AVS4YOU
2009-05-12 02:26 . 2009-05-12 02:26
d
w- c:\program files\Common Files\AVSMedia
2009-05-12 02:26 . 2004-11-03 23:52
d
w- c:\program files\AV VCS 3.0 GOLD
2009-05-11 01:17 . 2007-06-02 00:14
d
w- c:\program files\UniBall
2009-05-07 15:32 . 2002-08-29 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 07:33 . 2004-11-08 19:02
d
w- c:\program files\Azureus
2009-05-03 07:19 . 2004-11-02 16:25
d
w- c:\program files\Common Files\Blizzard Entertainment
2009-04-30 22:29 . 2009-04-30 22:19
d
w- c:\documents and settings\All Users\Application Data\Motive
2009-04-30 22:22 . 2009-04-30 22:22
d
w- c:\documents and settings\exclusive\Application Data\Verizon
2009-04-30 22:22 . 2009-04-30 22:22
d
w- c:\documents and settings\All Users\Application Data\Verizon
2009-04-30 22:21 . 2009-04-30 22:21
d
w- c:\documents and settings\exclusive\Application Data\Motive
2009-04-30 22:21 . 2009-04-30 22:19
d
w- c:\program files\Common Files\Motive
2009-04-18 17:33 . 2004-11-13 23:24 13544 -c--a-w- c:\documents and settings\exclusive\Application Data\wklnhst.dat
2009-04-17 12:26 . 2002-08-29 11:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-15 20:10 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-04 02:39 . 2009-04-04 02:39 152576 -c--a-w- c:\documents and settings\exclusive\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.
Sigcheck
[-] 2008-11-28 19:53 507904 3969440BA384D35317DBBDEEAAE641CE c:\windows\SYSTEM32\winlogon.exe
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-06-27_05.51.17"]SnapShot@2009-06-27_05.51.17[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-27 06:59 . 2009-06-27 06:59 16384 c:\windows\temp\Perflib_Perfdata_46c.dat
+ 2009-06-27 05:57 . 2008-10-16 19:09 51224 c:\windows\SYSTEM32\DLLCACHE\cache\wuauclt.exe
+ 2009-06-27 05:57 . 2008-04-14 00:12 82432 c:\windows\SYSTEM32\DLLCACHE\cache\ws2_32.dll
+ 2009-06-27 05:57 . 2008-04-14 00:12 26112 c:\windows\SYSTEM32\DLLCACHE\cache\userinit.exe
+ 2009-06-27 05:57 . 2008-04-14 00:12 14336 c:\windows\SYSTEM32\DLLCACHE\cache\svchost.exe
+ 2009-06-27 05:57 . 2008-04-14 00:12 57856 c:\windows\SYSTEM32\DLLCACHE\cache\spoolsv.exe
+ 2009-06-27 05:57 . 2008-04-14 00:12 17408 c:\windows\SYSTEM32\DLLCACHE\cache\powrprof.dll
+ 2009-06-27 05:57 . 2008-04-14 00:12 13312 c:\windows\SYSTEM32\DLLCACHE\cache\lsass.exe
+ 2009-06-27 05:57 . 2008-04-13 18:39 24576 c:\windows\SYSTEM32\DLLCACHE\cache\kbdclass.sys
+ 2009-06-27 05:57 . 2008-04-13 18:53 36608 c:\windows\SYSTEM32\DLLCACHE\cache\ip6fw.sys
+ 2009-06-27 05:57 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\DLLCACHE\cache\ctfmon.exe
+ 2009-06-27 05:57 . 2009-05-13 05:15 915456 c:\windows\SYSTEM32\DLLCACHE\cache\wininet.dll
+ 2009-06-27 05:57 . 2008-04-14 00:12 578560 c:\windows\SYSTEM32\DLLCACHE\cache\user32.dll
+ 2009-06-27 05:57 . 2008-06-20 11:51 361600 c:\windows\SYSTEM32\DLLCACHE\cache\tcpip.sys
+ 2009-06-27 05:57 . 2009-02-06 11:11 110592 c:\windows\SYSTEM32\DLLCACHE\cache\services.exe
+ 2009-06-27 05:57 . 2008-04-13 19:20 182656 c:\windows\SYSTEM32\DLLCACHE\cache\ndis.sys
+ 2009-06-27 05:57 . 2009-03-21 14:06 989696 c:\windows\SYSTEM32\DLLCACHE\cache\kernel32.dll
+ 2009-06-27 05:57 . 2008-04-14 00:11 110080 c:\windows\SYSTEM32\DLLCACHE\cache\imm32.dll
+ 2009-06-27 05:57 . 2008-04-14 00:12 1614848 c:\windows\SYSTEM32\DLLCACHE\cache\sfcfiles.dll
+ 2009-06-27 05:57 . 2009-02-06 11:08 2189056 c:\windows\SYSTEM32\DLLCACHE\cache\ntoskrnl.exe
+ 2009-06-27 05:57 . 2009-02-07 23:02 2066048 c:\windows\SYSTEM32\DLLCACHE\cache\ntkrnlpa.exe
+ 2009-06-27 05:57 . 2008-04-14 00:12 1033728 c:\windows\SYSTEM32\DLLCACHE\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 16:41 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-10-15 06:04 . 2008-10-15 06:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
2004-02-11 02:09 . 2004-02-11 02:09 151597 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
2004-12-13 20:30 . 2007-01-09 22:32 58984 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
2006-10-13 22:55 . 2007-03-05 17:57 1103480 c:\program files\IGN\Download Manager\bak\DLM.exe
2007-03-05 21:57 . 2007-03-05 21:57 1103480 c:\program files\IGN\Download Manager\DLM.exe
2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-01-06 18:06 . 2009-01-06 18:06 290088 c:\program files\iTunes\iTunesHelper.exe
2007-06-18 18:31 . 2007-02-06 16:37 147456 c:\program files\PayPal\PayPal Virtual Debit Card\bak\PayPalVDC.exe
2006-10-27 09:43 . 2006-10-27 09:43 1495111 c:\program files\PPMate\PPMate\bak\ppmate.exe
2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-01-05 21:18 . 2009-01-05 21:18 413696 c:\program files\QuickTime\QTTask.exe
2007-02-21 02:56 . 2007-05-05 23:17 100056 c:\program files\SymNetDrv\bak\SNDMon.exe
2006-10-19 01:05 . 2006-10-19 01:05 204288 c:\program files\Windows Media Player\bak\WMPNSCFG.exe
2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2002-08-29 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe
2004-02-14 21:16 . 2005-01-23 15:31 126976 c:\windows\SYSTEM32\bak\hkcmd.exe
2005-10-19 12:59 . 2005-10-19 12:59 126976 c:\windows\SYSTEM32\hkcmd.exe
2004-02-14 21:16 . 2005-01-23 15:36 155648 c:\windows\SYSTEM32\bak\igfxtray.exe
2005-10-19 12:59 . 2005-10-19 12:59 155648 c:\windows\SYSTEM32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-02-13 2303216]
"lxdfmon.exe"="c:\program files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-10-07 1630208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LexBceS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Steam\\SteamApps\\stayfly788@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\exclusive\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\exclusive\\Desktop\\mirc\\mirc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\SYSTEM32\\p3xsvr.exe"=
"c:\\Program Files\\Football Superstars\\FSPatchR.exe"=
"c:\\Program Files\\Football Superstars\\FSClientr.exe"=
"c:\\WINDOWS\\SYSTEM32\\ntvdm.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"i:\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\worldwide soccer manager 2009\\wsm.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxdfcoms.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxdfcfg.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdfpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdftime.exe"=
"i:\\Downloads\\aceonline\\Res-VoIP\\SCVoIP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\exclusive\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdfjswx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:yo
"41952:TCP"= 41952:TCP:tv
"20:TCP"= 20:TCP:hey
"21:TCP"= 21:TCP:free
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [2/6/2009 2:23 PM 106208]
R1 epfwtdir;epfwtdir;c:\windows\SYSTEM32\DRIVERS\epfwtdir.sys [2/6/2009 2:24 PM 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 2:23 PM 727720]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 11:28 AM 204800]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service --> c:\windows\system32\lxdfcoms.exe -service [?]
R2 PStrip;PStrip;c:\windows\SYSTEM32\DRIVERS\PStrip.sys [11/9/2004 6:32 PM 21968]
R2 Vcs;Vcs support;c:\windows\SYSTEM32\DRIVERS\Vcs.sys [11/3/2004 7:51 PM 6852]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 5:52 AM 106496]
S2 .EsetTrialReset;Eset Trial Reset;c:\windows\SYSTEM32\REGEDT32.EXE [8/29/2002 7:00 AM 3584]
S2 LexBce Server (LexBceS) ;LexBce Server (LexBceS) ; [x]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdfserv.exe [5/13/2009 8:52 PM 99248]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - hxxp://www.mtv.com/overdrive/bin/setup.exe
FF - ProfilePath - c:\documents and settings\exclusive\Application Data\Mozilla\Firefox\Profiles\kk0bwo24.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Sotfone Tracker: No Registry Reference - c:\program files\Mozilla Firefox\extensions\sotfone-tracker@sotfone.ru
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 03:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3461783486-2324116790-2309476532-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5f,7b,f8,54,91,cf,ed,0b,68,d2,94,48,a7,cd,4c,68,02,f8,94,79,74,8c,22,
8d,66,ac,05,df,5d,4a,f2,0a,36,b5,40,16,9d,35,66,0f,46,f0,3a,3e,a7,95,0e,7d,\
"??"=hex:1f,16,3d,94,5b,12,78,97,7a,7e,19,46,f0,cd,53,5e
[HKEY_USERS\S-1-5-21-3461783486-2324116790-2309476532-1007\Software\SecuROM\License information*]
"datasecu"=hex:b4,ec,ec,2d,7c,61,9f,ba,1a,2b,20,4e,d4,a6,47,39,fb,a1,f0,04,48,
ff,9c,c5,d1,51,bf,13,95,c4,e7,a5,8d,f2,de,00,86,d4,f5,4b,63,52,cb,86,35,c1,\
"rkeysecu"=hex:e3,00,e9,1f,9c,f8,dc,f4,52,74,cc,36,94,d9,5d,8c
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{216eceeb-0f68-482b-83e5-e0a474c460ec}]
@Denied: (Full) (Everyone)
"Model"=dword:00000001
"Therad"=dword:0000000d
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ea,b5,ff,ea,66,79,ab,55,89,a1,67,0f,eb,17,79,36,c2,ea,e0,80,a0,
45,73,5c,99,70,36,a3,13,3b,c3,3f,7c,4e,ad,3c,12,f1,98,ae,00,00,00,00,00,00,\
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(3452)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\imapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\lxdfcoms.exe
c:\windows\SYSTEM32\java.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\locator.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-27 3:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 07:11
ComboFix2.txt 2009-06-27 06:00
Pre-Run: 18,038,251,520 bytes free
Post-Run: 18,018,947,072 bytes free
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
336 --- E O F --- 2009-06-12 07:03
sfc /scannow (Note that there is a space between sfc and /scannow)
This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.
In all likelihood you will be prompted to insert the Windows CD. Follow all the on-screen instructions.
Is your computer running fine now?
Glad we could be of assistance! The help you received here was free.
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead
_______________________________
Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.