Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Trojan Dropper Agent.GIT Please help!


  • This topic is locked This topic is locked
No replies to this topic

#1 simontaylor7

simontaylor7

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 16 January 2008 - 03:25 PM

Hi I have followed the advice of a couple of the feeds on here to try to attempt to remove my problems but would like somebody to review the attached Hijackthis log and combfix log to let me know what to try next.

Thanks, I hope you can help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:33, on 17/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8DF4AF96-3F1C-4D07-AA6A-176B44884F2C} - C:\WINDOWS\system32\pmkjk.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: winbug32 - C:\WINDOWS\SYSTEM32\winbug32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7207 bytes

ComboFix 08-01-17.1 - SimonTaylor 2008-01-16 21:14:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinFP.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\WINDOWS\system32\drvxalr.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-15 21:57 . 2008-01-15 21:57 103,424 --a------ C:\WINDOWS\system32\drvxal.dll
2008-01-15 21:57 . 2008-01-15 21:57 12,288 --a------ C:\WINDOWS\system32\wupeng.exe
2008-01-15 21:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 21:34 . 2008-01-15 21:36 <DIR> d-------- C:\Program Files\CCleaner
2008-01-15 21:04 . 2008-01-15 21:04 <DIR> d-------- C:\VundoFix Backups
2008-01-15 20:51 . 2008-01-15 20:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-15 20:41 . 2008-01-15 20:41 3,584 --a------ C:\WINDOWS\system32\pmkjk.exe
2008-01-15 16:47 . 2008-01-15 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-15 16:47 . 2008-01-15 16:47 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2008-01-15 16:47 . 2008-01-15 16:47 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2008-01-15 16:25 . 2008-01-15 16:25 <DIR> d-------- C:\Documents and Settings\John\Application Data\McAfee.com Personal Firewall
2008-01-15 16:24 . 2008-01-15 16:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2008-01-15 16:23 . 2008-01-16 21:03 30,272 --a------ C:\WINDOWS\system32\Status.MPF
2008-01-15 16:13 . 2005-07-26 14:50 94,208 --a------ C:\WINDOWS\system32\mclsp.dll
2008-01-15 16:13 . 2005-07-26 14:47 90,112 --a------ C:\WINDOWS\system32\mcrtl32.dll
2008-01-15 16:13 . 2005-04-20 19:22 32,768 --a------ C:\WINDOWS\system32\instlsp.exe
2008-01-15 16:13 . 2005-04-20 19:22 11,264 --a------ C:\WINDOWS\system32\sporder.dll
2008-01-15 16:11 . 2008-01-15 16:11 <DIR> d-------- C:\Program Files\McAfee
2008-01-15 16:11 . 2008-01-15 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-15 16:10 . 2008-01-15 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-01-15 16:10 . 2005-08-16 16:18 80,640 --a------ C:\WINDOWS\system32\drivers\MpFirewall.sys
2008-01-15 16:10 . 2005-08-16 16:13 9,216 --a------ C:\WINDOWS\system32\MpfApi.dll
2008-01-15 16:08 . 2005-08-10 11:22 114,464 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2008-01-15 16:06 . 2008-01-15 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-15 16:05 . 2008-01-15 16:13 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-15 16:05 . 2005-09-19 16:13 349,760 -ra------ C:\WINDOWS\system32\mcinsctl.dll
2008-01-15 16:05 . 2005-09-19 16:13 288,320 -ra------ C:\WINDOWS\system32\mcgdmgr.dll
2008-01-15 16:04 . 2008-01-15 16:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-15 15:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-15 15:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-15 15:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-15 15:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-15 15:29 . 2008-01-15 15:29 <DIR> d-------- C:\Program Files\G-Lock Software
2008-01-15 15:14 . 2008-01-15 15:36 <DIR> d-------- C:\Program Files\Google
2008-01-15 14:58 . 2008-01-15 15:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-15 13:48 . 2008-01-15 13:48 24,576 --a------ C:\WINDOWS\system32\winbug32.dll
2008-01-15 13:12 . 2008-01-15 13:12 <DIR> d-------- C:\Program Files\iTunes Art Importer
2008-01-15 12:52 . 2008-01-15 12:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-15 12:45 . 2008-01-15 20:34 <DIR> d-------- C:\Documents and Settings\John\Application Data\AVG7
2008-01-15 12:45 . 2008-01-15 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-15 10:14 . 2008-01-15 20:33 <DIR> d-------- C:\Program Files\iTunes
2008-01-15 10:14 . 2008-01-15 10:14 <DIR> d-------- C:\Program Files\iPod
2008-01-15 09:49 . 2008-01-15 14:02 <DIR> d-------- C:\Documents and Settings\John\Application Data\Azureus
2008-01-15 09:49 . 2008-01-15 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-15 09:31 . 2008-01-15 09:31 <DIR> d-------- C:\Program Files\LimeWire
2008-01-15 09:31 . 2008-01-15 11:15 <DIR> d-------- C:\Documents and Settings\John\Application Data\LimeWire
2008-01-15 09:11 . 2008-01-15 09:11 <DIR> d-------- C:\Program Files\Azureus
2008-01-14 22:26 . 2008-01-14 22:26 <DIR> d-------- C:\Documents and Settings\John\Application Data\MSNInstaller
2008-01-14 22:06 . 2008-01-14 22:10 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-14 20:25 . 2008-01-14 20:25 <DIR> d-------- C:\Documents and Settings\John\Application Data\Apple Computer
2008-01-14 20:25 . 2008-01-15 17:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-14 20:25 . 2008-01-14 20:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-14 20:23 . 2008-01-15 14:06 <DIR> d-------- C:\Program Files\QuickTime
2008-01-14 20:23 . 2008-01-14 20:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-14 20:23 . 2008-01-14 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-14 20:23 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-14 20:22 . 2008-01-14 20:22 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-14 20:22 . 2008-01-14 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-14 19:40 . 2008-01-14 19:40 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-14 19:39 . 2008-01-14 19:39 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-14 19:38 . 2008-01-14 19:39 <DIR> d-------- C:\WINDOWS\ShellNew
2008-01-14 19:38 . 2008-01-14 19:38 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-01-14 10:05 . 2007-06-30 14:46 <DIR> d-------- C:\Documents and Settings\John\Application Data\ThinkVantage
2008-01-14 10:05 . 2008-01-14 20:00 <DIR> d-------- C:\Documents and Settings\John\Application Data\Symantec
2008-01-14 10:05 . 2008-01-14 22:25 <DIR> d-------- C:\Documents and Settings\John\Application Data\Lenovo
2008-01-05 11:22 . 2008-01-05 11:22 <DIR> d-------- C:\Program Files\Tiscali

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-14 22:25 --------- d-----w C:\Program Files\Lenovo
2008-01-14 22:25 --------- d-----w C:\Program Files\Common Files\Lenovo
2008-01-14 22:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 22:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lenovo
2008-01-14 07:45 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
2007-06-30 14:20 32,768 -csha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.
<pre>
----a-w		   579,072 2008-01-15 16:51:46  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w		   219,136 2008-01-15 16:53:47  C:\Program Files\Grisoft\AVG7\avgw .exe
----a-w		 1,117,184 2008-01-15 16:51:41  C:\Program Files\McAfee\SpamKiller\MSKDET~1 .EXE
----a-w		   303,104 2008-01-15 16:51:35  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w		   999,424 2008-01-15 16:51:40  C:\Program Files\McAfee.com\Personal Firewall\MpfTray .exe
----a-w		   131,072 2008-01-15 16:51:42  C:\Program Files\McAfee.com\Shared\mcappins .exe
----a-w		   151,552 2008-01-15 16:51:35  C:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
----a-w		   163,840 2008-01-15 16:50:46  C:\Program Files\McAfee.com\VSO\mcvsshld .exe
----a-w			53,248 2008-01-15 16:50:36  C:\Program Files\McAfee.com\VSO\OasClnt .exe
----a-w			15,360 2008-01-15 16:04:48  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-15_21.54.45.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-15 21:49:54 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 21:14:20 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 21:49:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 21:14:20 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 21:49:54 1,757,184 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-16 21:14:20 1,757,184 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 21:49:54 102,400 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 21:14:20 102,400 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 21:49:54 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-16 21:14:20 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 21:49:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 21:14:20 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DF4AF96-3F1C-4D07-AA6A-176B44884F2C}]
C:\WINDOWS\system32\pmkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 07:40 89542 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-11 09:36 16267776 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 09:04 2879488 C:\WINDOWS\SkyTel.exe]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2007-11-30 13:47 847872]
"Winupdate Engine"="C:\WINDOWS\system32\wupeng.exe" [2008-01-15 21:57 12288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-15 16:47 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbug32]
winbug32.dll 2008-01-15 13:48 24576 C:\WINDOWS\system32\winbug32.dll

S1 PMHler;PMHler;C:\WINDOWS\system32\drivers\PMHler.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 20:23:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 21:16:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\winbug32.dll
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
.
Completion time: 2008-01-17 21:16:25
ComboFix-quarantined-files.txt 2008-01-17 21:16:23
ComboFix2.txt 2008-01-15 21:55:04

    Advertisements

Register to Remove

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users