Help - Search - Members - Calendar
Full Version: help with Trojan BackDoor.Generic.11.IZW
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
woe
May 4 2009, 10:52 AM
Hello,

In order to kill the trojan BackDoor.generic11.IZV detected by AVG anti-virus, I follow the instructions from http://gladiator-antivirus.com/forum/index...showtopic=88077 and I run combofix with the same CFScript.txt instructions.

It seems the trojan is still resident in the computer. Can you help me to kill the trojan? Bellow find my combofix log after he run with CFScript.txt settings. Many thanks!

ComboFix 09-05-03.3 - george 04/05/2009 13:27.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.1182 [GMT 3:00]
Running from: c:\users\george\Desktop\ComboFix.exe
Command switches used :: c:\users\george\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

FILE ::
c:\users\kweeki\AppData\Local\Temp\ovfsthx000
c:\windows\system32\drivers\ovfsthsreeyqctpppoxptmqptvoihkwpvevdsq.sys
c:\windows\system32\drivers\ovfsthsreeyqctpppoxptmqptvoihkwpvevdsq.sys.vir
c:\windows\system32\ovfstheuqwxbthfwvbyrjroeepcebmqiysipiq.dat
c:\windows\system32\ovfsthfpqlvttfrpxymflcxxrqmncssbgtousm.dll
c:\windows\system32\ovfsthhhasedpkjwopctldwnqkjjdrgofbuqmq.dll
c:\windows\system32\ovfsthipstoivbiqfdgvuvyvmvekqbtuvuhrvk.dll.vir
c:\windows\system32\ovfsthlog.dat
c:\windows\system32\ovfsthmtdfqlvxvqipivcacvkgumodqtddjvqd.dat
c:\windows\system32\ovfsthrrhrsncgexxtyovrfddjxwotikrqtxwb.dll.vir
c:\windows\system32\ovfsthruenxtxgybroippibrqwktlofavvceje.dll
c:\windows\TEMP\ovfsthxvmrrtphbo.tmp
.

((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-04 09:20 . 2009-05-04 09:20 -------- d-----w c:\program files\Sophos
2009-05-03 18:39 . 2009-05-03 18:39 -------- d-sh--w C:\Fix-It
2009-05-03 16:05 . 2009-05-04 10:24 2207776 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-03 15:49 . 2009-05-03 17:48 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-03 15:49 . 2009-05-03 15:49 -------- d-----w c:\programdata\ParetoLogic Anti-Virus PLUS
2009-05-03 15:49 . 2009-05-03 15:49 -------- d-----w c:\users\All Users\ParetoLogic Anti-Virus PLUS
2009-05-03 15:49 . 2009-05-03 17:48 -------- d-----w c:\programdata\ParetoLogic
2009-05-03 15:49 . 2009-05-03 17:48 -------- d-----w c:\users\All Users\ParetoLogic
2009-05-03 14:53 . 2009-05-04 08:57 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 14:50 . 2009-05-03 14:55 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 14:50 . 2009-05-03 14:55 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-05-03 14:50 . 2009-05-03 14:55 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 14:50 . 2009-05-03 14:55 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 14:50 . 2009-05-04 09:06 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 08:06 . 2009-05-03 08:08 -------- d-----w c:\program files\The KMPlayer
2009-05-02 16:19 . 2009-05-02 16:19 -------- d-----w c:\users\george\AppData\Roaming\Malwarebytes
2009-05-02 16:19 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 16:19 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 16:19 . 2009-05-02 16:19 -------- d-----w c:\programdata\Malwarebytes
2009-05-02 16:19 . 2009-05-02 16:19 -------- d-----w c:\users\All Users\Malwarebytes
2009-05-02 16:19 . 2009-05-02 16:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 16:14 . 2009-05-02 16:14 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-05-02 16:14 . 2009-05-02 16:14 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-05-02 16:14 . 2009-05-03 14:48 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-02 16:14 . 2009-05-03 14:48 -------- d-----w c:\users\george\AppData\Roaming\SUPERAntiSpyware.com
2009-05-02 16:05 . 2009-05-02 16:05 -------- d-----w c:\program files\Yahoo!
2009-05-02 14:41 . 2009-05-02 14:41 -------- d-----w c:\program files\AVG
2009-05-02 14:41 . 2009-05-04 06:20 -------- d-----w c:\programdata\avg8
2009-05-02 14:41 . 2009-05-04 06:20 -------- d-----w c:\users\All Users\avg8
2009-05-02 13:47 . 2009-05-02 13:47 -------- d-----w c:\program files\VistaCodecPack
2009-05-02 13:46 . 2009-05-02 13:46 -------- d-----w c:\programdata\VistaCodecs
2009-05-02 13:46 . 2009-05-02 13:46 -------- d-----w c:\users\All Users\VistaCodecs
2009-04-28 16:24 . 2009-04-28 18:37 -------- d-----w c:\windows\BDOSCAN8
2009-04-27 10:49 . 2009-04-27 11:04 -------- d-----w c:\program files\Links Extractor 1.4
2009-04-25 09:52 . 2009-04-25 09:52 -------- d-----w c:\program files\Common Files\SourceTec
2009-04-25 09:52 . 2009-04-25 09:52 -------- d-----w c:\program files\SourceTec
2009-04-24 12:53 . 2009-05-03 14:04 -------- d-----w c:\users\george\AppData\Roaming\BSplayer PRO
2009-04-24 12:53 . 2009-04-24 12:53 3 ----a-w c:\users\george\AppData\Local\Codec_Setup_1240.exe
2009-04-22 17:59 . 2009-04-22 17:59 1033728 ----a-w c:\windows\system32\VSFilter.dll
2009-04-19 10:25 . 2009-04-19 10:25 -------- d-----w c:\program files\Common Files\xing shared
2009-04-19 10:25 . 2009-04-19 10:25 -------- d-----w c:\program files\Common Files\Real
2009-04-19 10:25 . 2009-04-19 10:25 -------- d-----w c:\program files\Real
2009-04-08 07:17 . 2009-04-09 08:09 -------- d-----w c:\users\george\AppData\Local\Microsoft Games
2009-04-04 21:11 . 2009-04-04 21:11 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-04-04 21:11 . 2009-04-04 21:11 -------- d-----w c:\users\george\AppData\Local\Google
2009-04-04 21:11 . 2009-04-04 21:11 -------- d-----w c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 10:24 . 2009-04-01 07:55 488 ----a-w c:\windows\Tasks\1-Click Maintenance.job
2009-05-04 10:23 . 2006-11-02 13:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 10:22 . 2009-05-03 16:05 32372 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-03 18:29 . 2009-05-03 16:05 444 ----a-w c:\windows\Tasks\ParetoLogic Registration.job
2009-05-03 14:43 . 2009-05-03 14:11 518 ----a-w c:\windows\Tasks\Malwarebytes' Scheduled Scan for george.job
2009-05-03 14:43 . 2009-05-03 14:11 504 ----a-w c:\windows\Tasks\Malwarebytes' Scheduled Update for george.job
2009-05-03 14:43 . 2009-04-28 10:19 434 ----a-w c:\windows\Tasks\At1.job
2009-05-03 14:36 . 2009-03-19 16:22 -------- d-----w c:\program files\Nero
2009-05-02 14:14 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-04-15 15:08 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-04 21:11 . 2009-03-19 16:17 -------- d-----w c:\program files\Google
2009-04-04 08:20 . 2009-04-04 08:20 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-04-02 12:21 . 2009-04-02 12:21 84480 ----a-w c:\windows\system32\ff_vfw.dll
2009-04-01 18:12 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-01 18:12 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-01 18:12 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-01 17:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Sidebar
2009-04-01 17:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Journal
2009-04-01 17:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Collaboration
2009-04-01 17:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Calendar
2009-04-01 17:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Photo Gallery
2009-04-01 17:56 . 2006-11-02 12:37 -------- d-----w c:\program files\Windows Defender
2009-04-01 17:56 . 2006-11-02 10:25 665600 ----a-w c:\windows\inf\drvindex.dat
2009-04-01 17:41 . 2006-11-02 10:32 101888 ----a-w c:\windows\system32\ifxcardm.dll
2009-04-01 17:41 . 2006-11-02 10:32 82432 ----a-w c:\windows\system32\axaltocm.dll
2009-04-01 11:50 . 2007-08-21 07:49 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 11:34 . 2009-04-01 11:25 -------- d-----w c:\program files\InfoCompanies
2009-04-01 07:55 . 2009-04-01 07:55 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-04-01 07:55 . 2009-04-01 07:55 360192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-04-01 07:55 . 2009-04-01 07:55 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-03-31 17:35 . 2009-03-19 16:20 -------- d-----w c:\program files\Ontrack
2009-03-31 17:34 . 2007-08-21 07:57 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-30 08:57 . 2009-03-30 08:57 269312 ----a-w c:\windows\system32\es.dll
2009-03-26 19:11 . 2009-03-26 19:11 61440 ----a-w c:\windows\system32\winipsec.dll
2009-03-26 19:11 . 2009-03-26 19:11 28672 ----a-w c:\windows\system32\FwRemoteSvr.dll
2009-03-26 19:11 . 2009-03-26 19:11 361984 ----a-w c:\windows\system32\IPSECSVC.DLL
2009-03-26 19:11 . 2009-03-26 19:11 272896 ----a-w c:\windows\system32\polstore.dll
2009-03-26 19:08 . 2009-03-26 19:08 94720 ----a-w c:\windows\system32\PortableDeviceClas-- The nicest hobby on Earth ;) --tension.dll
2009-03-26 19:08 . 2009-03-26 19:08 241152 ----a-w c:\windows\system32\PortableDeviceApi.dll
2009-03-26 19:08 . 2009-03-26 19:08 160768 ----a-w c:\windows\system32\PortableDeviceTypes.dll
2009-03-26 19:00 . 2009-03-26 19:00 296960 ----a-w c:\windows\system32\gdi32.dll
2009-03-26 18:58 . 2009-03-26 18:58 212480 ----a-w c:\windows\system32\drivers\mrxsmb10.sys
2009-03-26 18:57 . 2009-03-26 18:57 28672 ----a-w c:\windows\system32\Apphlpdm.dll
2009-03-26 18:57 . 2009-03-26 18:57 2560 ----a-w c:\windows\AppPatch\AcRes.dll
2009-03-26 18:57 . 2009-03-26 18:57 460288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2009-03-26 18:57 . 2009-03-26 18:57 2154496 ----a-w c:\windows\AppPatch\AcGenral.dll
2009-03-26 18:57 . 2009-03-26 18:57 541696 ----a-w c:\windows\AppPatch\AcLayers.dll
2009-03-26 18:57 . 2009-03-26 18:57 52736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-03-26 18:57 . 2009-03-26 18:57 173056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2009-03-26 18:57 . 2009-03-26 18:57 4240384 ----a-w c:\windows\system32\GameUXLegacyGDFs.dll
2009-03-26 18:57 . 2009-03-26 18:57 1695744 ----a-w c:\windows\system32\gameux.dll
2009-03-26 18:56 . 2009-03-26 18:56 303616 ----a-w c:\windows\system32\wmpeffects.dll
2009-03-26 18:55 . 2009-03-26 18:55 1191936 ----a-w c:\windows\system32\msxml3.dll
2009-03-26 18:55 . 2009-03-26 18:55 2048 ----a-w c:\windows\system32\msxml3r.dll
2009-03-26 18:50 . 2009-03-26 18:50 2048 ----a-w c:\windows\system32\tzres.dll
2009-03-26 18:49 . 2009-03-26 18:49 428544 ----a-w c:\windows\system32\EncDec.dll
2009-03-26 18:49 . 2009-03-26 18:49 293376 ----a-w c:\windows\system32\psisdecd.dll
2009-03-26 18:47 . 2009-03-26 18:47 8147456 ----a-w c:\windows\system32\wmploc.DLL
2009-03-26 18:47 . 2009-03-26 18:47 7680 ----a-w c:\windows\system32\spwmp.dll
2009-03-26 18:47 . 2009-03-26 18:47 4096 ----a-w c:\windows\system32\dxmasf.dll
2009-03-26 18:42 . 2009-03-26 18:42 2927104 ----a-w c:\windows\explorer.exe
2009-03-26 18:33 . 2009-03-26 18:33 6656 ----a-w c:\windows\system32\kbd106n.dll
2009-03-26 18:33 . 2009-03-26 18:33 988216 ----a-w c:\windows\system32\winload.exe
2009-03-26 18:33 . 2009-03-26 18:33 927288 ----a-w c:\windows\system32\winresume.exe
2009-03-26 18:33 . 2009-03-26 18:33 40960 ----a-w c:\windows\system32\srclient.dll
2009-03-26 18:33 . 2009-03-26 18:33 378368 ----a-w c:\windows\system32\srcore.dll
2009-03-26 18:33 . 2009-03-26 18:33 318464 ----a-w c:\windows\system32\rstrui.exe
2009-03-26 18:33 . 2009-03-26 18:33 46592 ----a-w c:\windows\system32\setbcdlocale.dll
2009-03-26 18:33 . 2009-03-26 18:33 19000 ----a-w c:\windows\system32\kd1394.dll
2009-03-26 18:33 . 2009-03-26 18:33 14848 ----a-w c:\windows\system32\srdelayed.exe
2009-03-26 18:33 . 2009-03-26 18:33 615992 ----a-w c:\windows\system32\ci.dll
2009-03-26 18:30 . 2009-03-26 18:30 712704 ----a-w c:\windows\system32\WindowsCodecs.dll
2009-03-26 18:30 . 2009-03-26 18:30 425472 ----a-w c:\windows\system32\PhotoMetadataHandler.dll
2009-03-26 18:30 . 2009-03-26 18:30 347136 ----a-w c:\windows\system32\WindowsCodec-- The nicest hobby on Earth ;) --t.dll
2009-03-26 18:26 . 2009-03-26 18:26 443392 ----a-w c:\windows\system32\win32spl.dll
2009-03-26 18:26 . 2009-03-26 18:26 37888 ----a-w c:\windows\system32\printcom.dll
2009-03-26 18:26 . 2009-03-26 18:26 14848 ----a-w c:\windows\system32\wshrm.dll
2009-03-26 18:26 . 2009-03-26 18:26 113664 ----a-w c:\windows\system32\drivers\rmcast.sys
2009-03-26 18:24 . 2009-03-26 18:24 288768 ----a-w c:\windows\system32\drivers\srv.sys
2009-03-26 18:22 . 2009-03-26 18:22 268288 ----a-w c:\windows\system32\schannel.dll
2009-03-26 18:19 . 2009-03-26 18:19 622080 ----a-w c:\windows\system32\icardagt.exe
2009-03-26 18:19 . 2009-03-26 18:19 11264 ----a-w c:\windows\system32\icardres.dll
2009-03-26 18:19 . 2009-03-26 18:19 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-03-26 18:19 . 2009-03-26 18:19 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-26 18:19 . 2009-03-26 18:19 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-03-26 18:19 . 2009-03-26 18:19 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-03-26 18:19 . 2009-03-26 18:19 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-03-26 18:12 . 2009-03-26 18:12 96760 ----a-w c:\windows\system32\dfshim.dll
2009-03-26 18:12 . 2009-03-26 18:12 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-03-26 18:12 . 2009-03-26 18:12 83968 ----a-w c:\windows\system32\mscories.dll
2009-03-26 18:12 . 2009-03-26 18:12 282112 ----a-w c:\windows\system32\mscoree.dll
2009-03-26 18:12 . 2009-03-26 18:12 158720 ----a-w c:\windows\system32\mscorier.dll
2009-03-26 18:06 . 2009-03-26 18:06 98816 ----a-w c:\windows\system32\mfps.dll
2009-03-26 18:06 . 2009-03-26 18:06 53248 ----a-w c:\windows\system32\rrinstaller.exe
2009-03-26 18:06 . 2009-03-26 18:06 2868736 ----a-w c:\windows\system32\mf.dll
2009-03-26 18:06 . 2009-03-26 18:06 24576 ----a-w c:\windows\system32\mfpmp.exe
2009-03-26 18:06 . 2009-03-26 18:06 2048 ----a-w c:\windows\system32\mferror.dll
2009-03-26 18:06 . 2009-03-26 18:06 996352 ----a-w c:\windows\system32\WMNetMgr.dll
2009-03-26 18:06 . 2009-03-26 18:06 94720 ----a-w c:\windows\system32\logagent.exe
2009-03-26 18:05 . 2009-03-26 18:05 84480 ----a-w c:\windows\system32\INETRES.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-04_10.00.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 07:36 . 2009-05-04 10:25 37766 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-04 10:25 64358 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-19 06:36 . 2009-05-04 09:48 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-19 06:36 . 2009-05-04 10:23 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-19 06:36 . 2009-05-04 09:48 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-19 06:36 . 2009-05-04 10:23 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-19 06:36 . 2009-05-04 09:48 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-19 06:36 . 2009-05-04 10:23 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-19 06:44 . 2009-05-04 10:25 7384 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2371687806-1693908627-1761024271-1000_UserData.bin
- 2009-05-04 09:51 . 2009-05-04 09:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-04 10:23 . 2009-05-04 10:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-04 09:51 . 2009-05-04 09:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-04 10:23 . 2009-05-04 10:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-05-04 10:31 600378 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-05-04 09:57 600378 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-04 10:31 105852 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-05-04 09:57 105852 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-22 894248]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-06-15 1826816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Toshiba Registration"=c:\program files\Toshiba\Registration\ToshibaRegistration.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"topi"=c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
"NDSTray.exe"=NDSTray.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{8B92AB33-9258-4C98-9715-F4A5841201A7}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser
"UDP Query User{132FA200-D1BD-485A-A3D8-176244EEFA7C}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser
"TCP Query User{C9244E63-D42E-4E41-88EB-844EC2063E1F}c:\\program files\\maguma\\tools\\dbglistener.exe"= UDP:c:\program files\maguma\tools\dbglistener.exe:Listener for php debugger DBG
"UDP Query User{F809EAA2-303A-4FEA-BA49-DAF5173DD517}c:\\program files\\maguma\\tools\\dbglistener.exe"= TCP:c:\program files\maguma\tools\dbglistener.exe:Listener for php debugger DBG
"TCP Query User{DE47FF00-0466-43B5-8F67-AE3493DA0755}c:\\xampp\\apache\\bin\\apache.exe"= UDP:c:\xampp\apache\bin\apache.exe:Apache HTTP Server
"UDP Query User{A9B1EF60-0FDF-4479-B7F2-5943B32CCDEA}c:\\xampp\\apache\\bin\\apache.exe"= TCP:c:\xampp\apache\bin\apache.exe:Apache HTTP Server
"TCP Query User{69904C39-C822-4CA3-8D3D-EA4E4F22C181}c:\\program files\\wap gateway\\vampix\\putty.exe"= UDP:c:\program files\wap gateway\vampix\putty.exe:PuTTY Tray
"UDP Query User{BF53739B-C513-4E0F-8751-C460582715F4}c:\\program files\\wap gateway\\vampix\\putty.exe"= TCP:c:\program files\wap gateway\vampix\putty.exe:PuTTY Tray
"TCP Query User{0E282B8A-7B5F-41C3-8022-798EED3458DA}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser
"UDP Query User{6BA66B09-F53D-499A-97BB-D9D6AD766BE0}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser
"{23372437-AF32-418B-B911-C40543BC984A}"= c:\program files\AVG\AVG8\avgam.exe:avgam.exe
"{40EDFA38-33E9-43B0-A40F-06F20E204ABF}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{922B57AF-C7C5-46BB-83C1-4DFC8FDD8652}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{32B55AEE-D49C-4140-9610-932A695DEFCB}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

R2 qefohdvj;Link-Layer Topology Discovery Mapper I/O Helper;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 MA8630C;MA8630C;c:\windows\system32\DRIVERS\MA8630C.sys [2004-09-14 23248]
R3 MA8630M;MA8630M;c:\windows\system32\DRIVERS\MA8630M.sys [2005-01-25 25428]
R3 MA8630U;MA8630U;c:\windows\system32\DRIVERS\MA8630U.sys [2007-10-31 53586]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-05-03 12552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-03 325896]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-03 108552]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-06-14 17408]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-05-03 908568]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-03 298776]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-04-01 603904]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-01-13 346112]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
qefohdvj

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\shell\AutoRun\command - D:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce9b4ccf-1451-11de-ac68-001644965201}]
\shell\AutoRun\command - D:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce9b4cd8-1451-11de-ac68-001644965201}]
\shell\AutoRun\command - D:\StartVMCLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 18:36]

2009-05-03 c:\windows\Tasks\Malwarebytes' Scheduled Scan for george.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-02 12:32]

2009-05-03 c:\windows\Tasks\Malwarebytes' Scheduled Update for george.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-02 12:32]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home
FF - ProfilePath - c:\users\george\AppData\Roaming\Mozilla\Firefox\Profiles\m3iw2rrz.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 13:32
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthycnpmxqnvppxijfiifynlbbmqvqtcxpt.sys 83968 bytes executable
c:\windows\system32\ovfsthblmfbaspxqmeghvifbkttnupgmjpacdt.dll 17920 bytes executable
c:\windows\system32\ovfsthcnlqhihqaxctkwrqrxvvwqmttehjyyvq.dat 60306 bytes
c:\windows\system32\ovfsthisdvcprmxwxxkqmyykpjtsovqmkyroqc.dat 43 bytes
c:\windows\system32\ovfsthnwdbvxnvgmxjtcvrlcertdwlqhuedwje.dll 19456 bytes executable
c:\windows\system32\ovfsthrrjaefbeowvvqibdfqxtuiirkxykmeed.dll 61440 bytes executable
c:\windows\system32\ovfsthspriateweyopeccwwxmkecpttprgjibv.dat 6293 bytes
c:\windows\system32\ovfsthtbyiehnqroqfvwapydfqgyuciopsondx.dll 17920 bytes executable
c:\windows\system32\ovfsthwxtrsfsfbvsvktmieduleguchaemcwis.dll 19456 bytes executable
c:\windows\system32\ovfsthxiwpibaapmerekhccdpweoydfdstbqng.dll 61440 bytes executable
c:\windows\system32\ovfsthygprkyjaxyfnjwhuvjsytkeimntffgut.dat 43 bytes
c:\users\george\AppData\Local\Temp\ovfsthx000 0 bytes

scan completed successfully
hidden files: 12

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthbxpycnrgopqyfjukxuwhixrxqqvvrmix]
"imagepath"="\systemroot\system32\drivers\ovfsthycnpmxqnvppxijfiifynlbbmqvqtcxpt.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
Completion time: 2009-05-04 13:33
ComboFix-quarantined-files.txt 2009-05-04 10:33
ComboFix2.txt 2009-05-04 10:02

Pre-Run: 64,989,138,944 bytes free
Post-Run: 64,964,075,520 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
351 --- E O F --- 2009-05-02 13:38
LoPhatPhuud
May 4 2009, 05:47 PM
Running ComboFix uisngf the script for someone else's computer is not only dangerous, it's plain stupid. Those indtructions were for a specific computer with specific symptoms. Using those instriuctions could have rendered your computer useless.

Please follow the instructions posted in the Guidelines for Posting in this forum: http://gladiator-antivirus.com/forum/index...showtopic=82676

Be sure all required logs are posted.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.