[Closed] Internet connectivity gone.
#1
Posted 15 October 2009 - 11:57 PM
Register to Remove
#2
Posted 16 October 2009 - 07:13 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:00 PM, on 10/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\green-programs\WinSplit Revolution\WinSplit.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\xampp\xampp-control.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\green-programs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EasyTuneVI] C:\Program Files\GIGABYTE\ET6\ETcall.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12L~1\imesc\IMSCMig.exe /INSTALL
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Winsplit] C:\green-programs\WinSplit Revolution\WinSplit.exe
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [QvodPlayer] C:\Program Files\QvodPlayer\QvodTerminal.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [QvodPlayer] C:\Program Files\QvodPlayer\QvodTerminal.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7412DDD1-C327-4BE3-9D41-6A3FC6F9A4C3}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\filezillaftp\filezillaserver.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Apache Tomcat 6 (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
--
End of file - 11622 bytes
Edited by janetsmith, 16 October 2009 - 08:49 AM.
#3
Posted 16 October 2009 - 07:18 AM
Edited by janetsmith, 16 October 2009 - 08:19 AM.
#4
Posted 16 October 2009 - 08:51 AM
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3061.2449 [GMT 8:00]
Running from: c:\documents and settings\Janet\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WINDOWS_HOSTS_CONTROLLER
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.
2009-10-16 10:44 . 2009-10-16 10:44 -------- d-----w- c:\windows\ERUNT
2009-10-16 10:38 . 2009-10-16 11:13 -------- d-----w- C:\SDFix
2009-10-15 21:59 . 2009-10-15 21:59 -------- d-----w- C:\$AVG
2009-10-15 21:59 . 2009-10-15 21:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-15 21:59 . 2009-10-15 21:59 356616 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-15 21:59 . 2009-10-15 21:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-15 21:59 . 2009-10-15 21:59 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-15 21:59 . 2009-10-16 08:29 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-15 21:59 . 2009-10-15 21:59 -------- d-----w- c:\program files\AVG
2009-10-15 21:59 . 2009-10-15 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-14 15:59 . 2009-10-14 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-14 15:58 . 2009-10-16 08:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 15:58 . 2009-10-14 15:58 -------- d-----w- c:\documents and settings\Janet\Application Data\SUPERAntiSpyware.com
2009-10-14 13:10 . 2009-10-14 13:10 10752 ----a-w- c:\windows\DCEBoot.exe
2009-10-14 09:29 . 2009-10-14 09:29 -------- d-----w- c:\documents and settings\Janet\Application Data\Malwarebytes
2009-10-14 09:29 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 09:29 . 2009-10-14 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 09:29 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 09:29 . 2009-10-14 09:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 10:42 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-10-13 10:42 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-10-13 10:42 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-13 10:42 . 2009-10-13 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-10-13 10:41 . 2009-10-13 10:42 -------- d-----w- c:\program files\Trend Micro
2009-10-13 10:36 . 2009-10-13 10:36 335376 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2009-10-13 10:36 . 2009-05-22 08:02 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-10-13 10:36 . 2009-05-22 07:45 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-10-13 10:36 . 2009-10-13 10:36 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-10-13 10:36 . 2009-05-22 08:00 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-10-10 05:26 . 2009-10-10 05:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-10 05:24 . 2009-07-28 08:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-05 08:55 . 2009-10-05 12:41 -------- d-----w- c:\documents and settings\Janet\.yed3
2009-10-03 00:45 . 2009-10-03 00:45 -------- d-----w- c:\program files\Paint.NET
2009-10-02 15:49 . 2009-10-02 15:49 -------- d-----w- c:\program files\MSXML 6.0
2009-09-26 16:46 . 2009-09-26 16:46 -------- d-----w- c:\documents and settings\Janet\Application Data\Media Player Classic
2009-09-23 16:17 . 2009-09-23 16:17 -------- d-----r- c:\documents and settings\Janet\Application Data\Brother
2009-09-23 15:58 . 2009-09-23 15:58 -------- d-----w- c:\documents and settings\Janet\Local Settings\Application Data\Scansoft
2009-09-23 15:53 . 2009-09-23 15:53 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-09-23 15:53 . 2008-03-18 14:35 1522176 ----a-w- c:\windows\system32\BrWia08a.dll
2009-09-23 15:53 . 2007-12-24 14:24 45056 ----a-w- c:\windows\system32\BrUsi08a.dll
2009-09-23 15:53 . 2004-10-15 04:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2009-09-23 15:52 . 2007-12-13 14:16 73728 ------w- c:\windows\system32\BrDctF2.dll
2009-09-23 15:52 . 2007-12-13 14:16 5120 ------w- c:\windows\system32\BrDctF2L.dll
2009-09-23 15:52 . 2007-12-13 14:16 3072 ------w- c:\windows\system32\BrDctF2S.dll
2009-09-23 15:52 . 2006-12-28 05:39 176128 ------w- c:\windows\system32\BroSNMP.dll
2009-09-23 15:52 . 2008-01-25 07:21 167936 ------w- c:\windows\system32\NSSearch.dll
2009-09-23 15:52 . 2009-09-23 15:53 -------- d-----w- c:\program files\Brother
2009-09-23 15:52 . 2009-09-23 15:52 -------- d-----w- c:\documents and settings\Janet\Application Data\InstallShield
2009-09-23 15:51 . 2009-09-23 15:51 -------- d-----w- c:\program files\Nuance
2009-09-23 15:50 . 2009-09-23 15:50 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-23 15:50 . 2009-09-23 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-09-23 15:50 . 2009-09-23 15:50 -------- d-----w- c:\program files\ScanSoft
2009-09-23 15:49 . 2009-09-23 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-09-23 15:45 . 2004-08-03 15:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-09-23 15:45 . 2004-08-03 15:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-09-23 15:45 . 2004-08-03 15:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-23 15:45 . 2004-08-03 15:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-09-21 17:13 . 2009-09-21 17:13 -------- d-----w- c:\documents and settings\Janet\Application Data\Charles
2009-09-21 17:13 . 2009-09-21 17:13 -------- d-----w- c:\program files\Charles
2009-09-19 13:55 . 2009-10-13 12:27 -------- d-----w- c:\documents and settings\Janet\Application Data\FileZilla
2009-09-19 13:55 . 2009-10-11 11:44 -------- d-----w- c:\program files\FileZilla FTP Client
2009-09-18 13:36 . 2009-09-18 14:14 -------- d-----w- c:\documents and settings\Janet\.VirtualBox
2009-09-18 13:33 . 2009-07-10 09:51 115856 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2009-09-18 13:33 . 2009-07-10 09:51 91472 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2009-09-18 13:33 . 2009-07-10 09:51 41424 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 11:46 . 2009-07-12 02:24 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-10-16 11:45 . 2009-07-12 04:11 16608 ----a-w- c:\windows\gdrv.sys
2009-10-13 21:44 . 2009-07-12 04:54 -------- d-----w- c:\program files\BitComet
2009-10-13 10:39 . 2009-07-12 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 10:38 . 2009-07-12 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 06:34 . 2009-07-12 02:13 29768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 04:47 . 2009-07-12 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-10 04:47 . 2009-07-12 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-10-04 06:22 . 2009-07-22 13:31 -------- d-----w- c:\documents and settings\Janet\Application Data\Orbit
2009-10-04 05:12 . 2009-07-15 10:36 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-02 15:52 . 2009-10-02 15:52 113024 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-02 15:51 . 2009-10-02 15:51 -------- d-----w- c:\program files\MSBuild
2009-10-02 15:51 . 2009-10-02 15:51 -------- d-----w- c:\program files\Reference Assemblies
2009-09-23 15:52 . 2009-07-12 01:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-20 09:01 . 2009-08-31 11:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-09-18 13:33 . 2009-07-12 04:21 -------- d-----w- c:\program files\Sun
2009-09-18 13:27 . 2009-08-23 03:11 -------- d-----w- c:\program files\EmfPrinter
2009-09-18 13:25 . 2009-08-23 03:20 -------- d-----w- c:\program files\ImagePrinter
2009-09-15 14:56 . 2009-07-12 02:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-15 10:23 . 2009-09-15 10:23 29332 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-13 10:41 . 2009-09-13 10:41 -------- d-----w- c:\program files\Graphviz2.24
2009-09-13 10:28 . 2009-09-10 21:47 -------- d-----w- c:\documents and settings\Janet\Application Data\JGoodies
2009-09-12 17:55 . 2009-07-12 07:06 -------- d-----w- c:\program files\QvodPlayer
2009-09-11 16:11 . 2009-09-10 13:13 -------- d-----w- c:\documents and settings\Janet\Application Data\Download Manager
2009-09-11 13:29 . 2009-09-11 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-11 13:20 . 2009-09-11 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2009-09-11 13:17 . 2009-09-11 13:17 -------- d-----w- c:\program files\Adobe Media Player
2009-09-11 13:12 . 2009-09-11 13:12 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-09-10 13:28 . 2009-09-10 13:28 -------- d-----w- c:\documents and settings\Janet\Application Data\inkscape
2009-08-31 11:25 . 2009-08-31 11:25 -------- d-----w- c:\documents and settings\Janet\Application Data\Talkback
2009-08-31 11:25 . 2009-08-31 11:25 -------- d-----w- c:\documents and settings\Janet\Application Data\Thunderbird
2009-08-31 09:01 . 2009-07-12 06:28 -------- d-----w- c:\documents and settings\Janet\Application Data\MySQL
2009-08-29 02:34 . 2009-08-29 00:42 -------- d-----w- c:\documents and settings\Janet\Application Data\ICAClient
2009-08-29 01:29 . 2009-07-14 10:50 -------- d-----w- c:\program files\Google
2009-08-29 00:32 . 2009-08-29 00:32 -------- d-----w- c:\program files\Citrix
2009-08-23 04:55 . 2009-08-23 04:55 -------- d-----w- c:\program files\PDFCreator
2009-08-23 02:20 . 2009-08-23 02:15 -------- d-----w- c:\program files\JPEG Printer
2009-08-23 02:03 . 2009-08-23 02:03 -------- d-----w- c:\program files\MSECache
2009-08-20 10:13 . 2009-08-20 10:13 -------- d-----w- c:\documents and settings\Janet\Application Data\.visualvm
2006-02-28 12:00 . 2006-02-28 12:00 80300 --sha-r- c:\windows\system32\lsrycr.dll
.
------- Sigcheck -------
[7] 2006-02-28 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2006-02-28 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Winsplit"="c:\green-programs\WinSplit Revolution\WinSplit.exe" [2009-02-27 3958784]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-10-13 492808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-12 148888]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12L~1\imesc\IMSCMig.exe" [2008-04-11 38432]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-03-24 606208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-15 2007320]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-13 18084864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"QvodPlayer"="c:\program files\QvodPlayer\QvodTerminal.exe" [2009-07-10 542088]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-10-13 492808]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-7-19 221247]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-15 21:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20226:TCP"= 20226:TCP:BitComet 20226 TCP
"20226:UDP"= 20226:UDP:BitComet 20226 UDP
"3306:TCP"= 3306:TCP:MySQL Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"9991:TCP"= 9991:TCP:PORT2
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"33180:TCP"= 33180:TCP:FD
"58848:TCP"= 58848:TCP:FD
"17093:TCP"= 17093:TCP:FD
"29532:TCP"= 29532:TCP:FD
"22577:TCP"= 22577:TCP:FD
"16491:TCP"= 16491:TCP:FD
"1262:TCP"= 1262:TCP:pnusa
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/16/2009 5:59 AM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/16/2009 5:59 AM 356616]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/18/2009 9:33 PM 115856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/18/2009 9:33 PM 41424]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/16/2009 5:59 AM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/16/2009 5:59 AM 285392]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [7/12/2009 9:52 AM 68136]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [7/12/2009 10:22 AM 22016]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/13/2009 6:42 PM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [10/13/2009 6:42 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [10/13/2009 6:36 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [10/13/2009 6:42 PM 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [10/13/2009 6:36 PM 335376]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [7/10/2009 5:51 PM 99472]
S2 esawkbbw;Helper System;c:\windows\system32\svchost.exe -k netsvcs [2/28/2006 8:00 PM 14336]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [7/12/2009 10:22 AM 28800]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [7/12/2009 10:22 AM 17408]
S3 Tomcat6;Apache Tomcat 6;c:\program files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [5/14/2009 7:15 AM 57344]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [9/18/2009 9:33 PM 91472]
SUnknown GVTDrv;GVTDrv; [x]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ESAWKBBW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ffxkxky
gtjny
esawkbbw
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
FF - ProfilePath - c:\documents and settings\Janet\Application Data\Mozilla\Firefox\Profiles\u6if2y4k.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 19:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\docume~1\janet\LOCALS~1\Temp\~DFB4B5.tmp 311296 bytes
c:\windows\system32\GVTunner.ref 4 bytes
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\esawkbbw]
"ServiceDll"="c:\windows\system32\lsrycr.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1192)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(3576)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-10-16 19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 11:48
Pre-Run: 84,572,975,104 bytes free
Post-Run: 84,491,968,512 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
318
Edited by janetsmith, 16 October 2009 - 08:58 AM.
#5
Posted 16 October 2009 - 08:53 AM
Edited by janetsmith, 16 October 2009 - 09:00 AM.
#6
Posted 16 October 2009 - 08:54 AM
#7
Posted 16 October 2009 - 05:18 PM
Edited by janetsmith, 16 October 2009 - 05:21 PM.
#8
Posted 16 October 2009 - 06:30 PM
Rootkit scan 2009-10-17 08:29:16
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\janet\LOCALS~1\Temp\uxldrpog.sys
---- System - GMER 1.0.15 ----
SSDT 8975CCC0 ZwCreateKey
SSDT 8975C1C0 ZwCreateProcess
SSDT 8975C480 ZwCreateProcessEx
SSDT 8975DB20 ZwCreateThread
SSDT 8975D240 ZwDeleteKey
SSDT 8975D500 ZwDeleteValueKey
SSDT 8975DCC0 ZwLoadDriver
SSDT 8975C740 ZwOpenProcess
SSDT 8975CF80 ZwSetValueKey
SSDT 8975CA00 ZwTerminateProcess
SSDT 8975D980 ZwWriteVirtualMemory
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv122.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device InCDFs.sys (InCD File System Driver/Nero AG)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] esawkbbw <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@DisplayName Helper System
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw@Description Prefetches JRE files for faster startup of Java applets and applications
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\esawkbbw\Parameters@ServiceDll C:\WINDOWS\system32\lsrycr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@DisplayName Helper System
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw@Description Prefetches JRE files for faster startup of Java applets and applications
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\esawkbbw\Parameters@ServiceDll C:\WINDOWS\system32\lsrycr.dll
---- EOF - GMER 1.0.15 ----
#9
Posted 18 October 2009 - 05:13 AM
Please do the following:
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
- They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')
http://forums.whatthetech.com/Internet_connectivity_gone_t107656.html collect:: c:\windows\system32\lsrycr.dll KillAll:: Driver:: esawkbbw NetSvc:: ffxkxky gtjny esawkbbw Registry:: [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\esawkbbw] FCopy:: c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys DDS:: BHO: {5C255C8A-E604-49b4-9D64-90988571CECB}
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you.
- Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
NEXT
What can you tell me about all these open ports?
What do you use them for?
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9991:TCP"= 9991:TCP:PORT2
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"33180:TCP"= 33180:TCP:FD
"58848:TCP"= 58848:TCP:FD
"17093:TCP"= 17093:TCP:FD
"29532:TCP"= 29532:TCP:FD
"22577:TCP"= 22577:TCP:FD
"16491:TCP"= 16491:TCP:FD
"1262:TCP"= 1262:TCP:pnusa
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
#10
Posted 24 October 2009 - 01:09 PM
Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users