Author Topic: new worm?, avast doesn' know it  (Read 58317 times)

0 Members and 1 Guest are viewing this topic.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #75 on: December 29, 2009, 12:22:50 AM »
Nothing bad seems to be happening on the 'sick' computer, i am online on it posting this message and about to post the logs too, thank you thank you i think it's clean ^^ but i'll let the expert confirm that hehe ^^

Malwarebytes' Anti-Malware 1.42
Database version: 3431
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

28/12/2009 23:14:19
mbam-log-2009-12-28 (23-14-19).txt

Scan type: Quick Scan
Objects scanned: 108481
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 09-12-26.01 - Mark 28/12/2009  23:06:48.3.4 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.44.1033.18.3327.2868 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
- REDUCED FUNCTIONALITY MODE -
.

(((((((((((((((((((((((((   Files Created from 2009-11-28 to 2009-12-28  )))))))))))))))))))))))))))))))
.

2009-12-28 14:12 . 2007-07-27 11:00   15360   -c--a-w-   c:\windows\system32\dllcache\ctfmon.exe
2009-12-28 14:12 . 2007-07-27 11:00   15360   ------w-   c:\windows\system32\ctfmon.exe
2009-12-26 09:30 . 2009-12-26 09:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-26 02:24 . 2009-12-26 02:24   52224   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 02:20 . 2009-12-26 02:24   117760   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-26 02:19 . 2009-12-26 02:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2009-12-26 02:17 . 2009-12-26 02:13   2386270   ----a-w-   C:\MGtools.exe
2009-12-26 01:48 . 2009-12-26 01:47   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-26 01:47 . 2009-12-26 01:47   --------   d-----w-   c:\program files\Java
2009-12-25 13:52 . 2009-12-25 13:52   --------   d-----w-   c:\documents and settings\Mark\.kde
2009-12-25 09:45 . 2009-12-25 09:45   4844295   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-16 21:46 . 2009-09-04 17:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2009-12-16 21:46 . 2009-09-04 17:44   238936   ----a-w-   c:\windows\system32\xactengine3_5.dll
2009-12-16 21:46 . 2009-09-04 17:29   1974616   ----a-w-   c:\windows\system32\D3DCompiler_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   5501792   ----a-w-   c:\windows\system32\d3dcsx_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   235344   ----a-w-   c:\windows\system32\d3dx11_42.dll
2009-12-16 21:45 . 2009-12-16 21:46   --------   d--h--w-   c:\windows\msdownld.tmp
2009-12-09 15:38 . 2009-12-09 15:38   --------   d-----w-   c:\program files\Microsoft
2009-12-04 05:32 . 2009-09-04 17:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2009-12-04 05:32 . 2009-09-04 17:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Thunderbird
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Application Data\Thunderbird
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\Mark\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\program files\GNU

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #76 on: December 29, 2009, 12:23:25 AM »

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 23:04 . 2009-02-20 09:52   --------   d-----w-   c:\program files\Steam
2009-12-28 23:04 . 2008-05-07 16:19   --------   d-----w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2
2009-12-26 02:18 . 2008-05-18 11:04   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-26 02:05 . 2008-08-04 05:26   --------   d-----w-   c:\program files\EA Games
2009-12-26 02:03 . 2009-02-20 04:33   --------   d-----w-   c:\program files\Konami
2009-12-26 02:00 . 2008-04-26 03:44   --------   d-----w-   c:\program files\THQ
2009-12-26 02:00 . 2008-09-04 13:02   --------   d-----w-   c:\program files\Three Rings Design
2009-12-25 09:45 . 2008-12-15 23:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-25 03:34 . 2009-09-24 02:54   --------   d-----w-   c:\program files\Pando Networks
2009-12-24 17:13 . 2008-06-11 16:29   --------   d-----w-   c:\program files\mIRC
2009-12-21 04:14 . 2008-05-07 16:20   1   ----a-w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-20 11:52 . 2008-05-18 11:04   --------   d-----w-   c:\program files\AGEIA Technologies
2009-12-18 23:13 . 2008-12-09 03:13   --------   d-----w-   c:\program files\World of Warcraft
2009-12-10 10:33 . 2008-04-25 13:50   --------   d-----w-   c:\documents and settings\Mark\Application Data\.purple
2009-12-04 06:11 . 2008-10-29 11:04   104   ----a-w-   c:\windows\popcinfot.dat
2009-12-03 16:14 . 2008-12-15 23:26   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2008-12-15 23:26   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-30 03:11 . 2009-11-22 21:06   --------   d-----w-   c:\program files\FantasyGrounds
2009-11-27 14:16 . 2008-04-25 15:47   --------   d-----w-   c:\documents and settings\Mark\Application Data\gtk-2.0
2009-11-24 23:54 . 2008-12-15 02:08   1280480   ----a-w-   c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-15 02:08   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-15 02:08   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-15 02:08   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-15 02:08   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-15 02:08   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-15 02:08   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-15 02:08   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-15 02:08   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-11-22 21:12 . 2009-11-22 21:12   --------   d-----w-   c:\program files\LogMeIn Hamachi
2009-11-22 21:12 . 2009-04-29 23:42   --------   d-----w-   c:\documents and settings\Mark\Application Data\Hamachi
2009-11-19 22:36 . 2008-11-19 16:41   --------   d-----w-   c:\program files\ooVoo
2009-11-06 10:59 . 2009-11-06 10:59   15406728   ----a-w-   c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
2009-11-06 04:09 . 2009-11-06 04:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\BioWare
2009-11-03 10:28 . 2009-11-03 10:28   --------   d-----w-   c:\documents and settings\Mark\Application Data\runic games
2009-11-01 16:51 . 2009-11-01 16:48   --------   d-----w-   c:\documents and settings\Mark\Application Data\Red Alert 3 Uprising
2009-10-29 04:59 . 2009-10-29 04:59   1925024   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
.

((((((((((((((((((((((((((((((((((((((((((   SR_Search   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2007-12-19 . 3702A9C76696A70323330FD3879A5408 . 1589248 . . [5.1.2600.3186] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((   SnapShot@2009-12-27_14.35.32   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-28 23:02 . 2009-12-28 23:02   16384              c:\windows\Temp\Perflib_Perfdata_660.dat
+ 2009-12-28 23:03 . 2009-12-28 23:03   16384              c:\windows\Temp\Perflib_Perfdata_4e4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-10-12 17507000]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"CTHelper"="CTHELPER.EXE" [2008-02-20 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 19968]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-26 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2007-07-27 53760]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #77 on: December 29, 2009, 12:23:50 AM »

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Namco Bandai Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Wizards of the Coast\\Magic Online III\\Renamer.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Outspark\\WindSlayer\\WindSlayer.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Overlord2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Config.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\Bootstrapper.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\BattleForge.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bookworm adventures volume 2\\BookwormAdventuresVol2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\Autorun\\Exe\\Autorun.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\BB.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\command and conquer red alert 3 uprising\\RA3EP1.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\zuma's revenge\\ZumasRevenge.exe"=
"c:\\Program Files\\FantasyGrounds\\FantasyGrounds.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/12/2008 02:08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/12/2008 02:08 20560]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29/10/2009 12:27 1074568]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [28/09/2009 16:15 242176]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [06/11/2009 01:10 25832]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/10/2009 14:45 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/10/2009 14:45 105216]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/10/2009 14:45 105216]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 23:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #78 on: December 29, 2009, 12:24:51 AM »
**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:dd,2f,b8,a0,ed,08,93,98,68,aa,98,88,25,98,8a,a9,04,f3,19,18,5a,6d,91,
   2f,a4,33,79,3f,0b,3b,7e,32,64,d8,78,82,ac,11,57,ad,ae,40,c2,cd,1b,6d,96,52,\
"??"=hex:0e,65,6b,66,be,8d,88,91,f8,ed,7e,ad,e7,93,74,57

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f1,c5,45,e3,96,ce,70,1a,19,5b,29,ca,c2,83,4b,b8,15,6a,83,db,5f,
   b0,36,32,21,a3,e6,13,b7,97,1e,4b,79,f4,84,44,8a,c4,6c,4a,cb,1d,06,d6,e5,b2,\
"rkeysecu"=hex:34,72,c9,c1,56,cb,ba,37,57,df,7e,31,d4,64,3d,47
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-12-28  23:09:37
ComboFix-quarantined-files.txt  2009-12-28 23:09
ComboFix2.txt  2009-12-27 14:41

Pre-Run: 156,330,991,616 bytes free
Post-Run: 156,298,125,312 bytes free

- - End Of File - - AAFBEE1CF97049301E537C10445AE84D

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: new worm?, avast doesn' know it
« Reply #79 on: December 29, 2009, 03:04:58 AM »
Hi MarkWest,

So far so good. If you can get a hold of an XP disk we can see if there is a file on it that will pass the signature check.

In the meantime we'll check our handiwork. Please be patient, this scan can be quite lengthy but worth it.


Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions.
  • You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computerr under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Change the Files of type to Text file (.txt)
  • Set the Save In to Desktop
  • click the Save button.
  • Please post this log in your next reply.

Please post back with theKaspersky log and a new OTL scan log taken after the Kaspersky scan.

Thanks


Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #80 on: December 29, 2009, 04:56:48 PM »
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Tuesday, December 29, 2009
 Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Tuesday, December 29, 2009 09:05:42
 Records in database: 3415603
--------------------------------------------------------------------------------

Scan settings:
   scan using the following database: extended
   Scan archives: yes
   Scan e-mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\

Scan statistics:
   Objects scanned: 451781
   Threats found: 6
   Infected objects found: 11
   Suspicious objects found: 0
   Scan duration: 05:31:21


File name / Threat / Threats count
C:\Documents and Settings\Mark\Desktop\installed stuff\mirc62.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\Documents and Settings\Mark\Desktop\mirc632.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.632   1
C:\MGtools.exe   Infected: Trojan-Dropper.Win32.Agent.bjzb   1
C:\Program Files\mIRC\mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome\content\overlay.xul.vir   Infected: Trojan.JS.Gord.a   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kpgmh.sys.vir   Infected: Rootkit.Win32.Agent.aago   1
C:\Stuff that needs to be sorted into proper place\New Folder\mirc616.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.616   1
C:\System Volume Information\_restore{9E4F74B7-17B2-42E8-BBE8-11AEB188B254}\RP497\A0071234.sys   Infected: Rootkit.Win32.Agent.aago   1
E:\Documents and Settings\Mark\Desktop\mirc632.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.632   1
E:\Documents and Settings\Mark\Local Settings\Temp\mirc632.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.632   1
E:\Stuff that needs to be sorted into proper place\New Folder\mirc616.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.616   1

Selected area has been scanned.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #81 on: December 29, 2009, 04:58:01 PM »

 
OTL logfile created on: 29/12/2009 15:51:57 - Run 2
OTL by OldTimer - Version 3.1.20.1     Folder = C:\Documents and Settings\Mark\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 78.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.74 Gb Total Space | 145.38 Gb Free Space | 31.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 465.74 Gb Total Space | 322.75 Gb Free Space | 69.30% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: BEAST-3DDF91376
Current User Name: Mark
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Processes (SafeList) ==========
 
PRC - [2009/12/29 10:17:22 | 00,139,264 | ---- | M] (Kaspersky Lab.) -- C:\Documents and Settings\Mark\Local Settings\temp\jkos-Mark\binaries\ScanningProcess.exe
PRC - [2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
PRC - [2009/12/26 01:47:55 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/26 01:47:55 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/12/26 01:47:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\java.exe
PRC - [2009/12/16 17:22:50 | 00,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/16 16:26:56 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/24 23:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/29 12:27:54 | 01,074,568 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2009/10/24 23:34:04 | 01,217,808 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\steam.exe
PRC - [2009/10/12 18:03:52 | 17,507,000 | ---- | M] (ooVoo LLC) -- C:\Program Files\ooVoo\ooVoo.exe
PRC - [2009/09/28 16:15:58 | 00,242,176 | ---- | M] () -- C:\Program Files\GNU\GnuPG\dirmngr.exe
PRC - [2009/09/03 21:17:14 | 03,342,336 | ---- | M] (Electronic Arts) -- C:\Program Files\Electronic Arts\EADM\Core.exe
PRC - [2009/02/06 16:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/08/13 17:06:56 | 03,660,848 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
PRC - [2008/08/03 23:02:20 | 00,036,352 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/08/01 06:19:21 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
PRC - [2008/03/14 22:12:50 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/03/14 22:12:48 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/03/07 18:24:18 | 00,417,792 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/02/20 19:58:46 | 00,019,968 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\Ctxfihlp.exe
PRC - [2008/02/20 19:58:44 | 00,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2008/02/20 19:55:12 | 00,969,216 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTxfispi.exe
PRC - [2007/12/05 00:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/07/27 11:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2007/06/13 10:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/07/28 20:11:12 | 02,109,440 | ---- | M] (mIRC Co. Ltd.) -- C:\Program Files\mIRC\mirc.exe
PRC - [2003/01/27 16:16:58 | 00,376,912 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
MOD - [2008/02/20 19:58:42 | 00,008,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\ctagent.dll
MOD - [2006/08/25 15:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2009/12/26 01:47:55 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 23:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 23:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/06 01:10:48 | 00,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- c:\Program Files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/10/29 12:27:54 | 01,074,568 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2009/09/28 16:15:58 | 00,242,176 | ---- | M] () [Auto | Running] -- C:\Program Files\GNU\GnuPG\dirmngr.exe -- (DirMngr)
SRV - [2009/02/18 23:11:00 | 02,806,522 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/08/01 06:19:21 | 00,066,872 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2008/03/07 18:24:18 | 00,417,792 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2007/12/05 00:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
 

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #82 on: December 29, 2009, 04:58:22 PM »
 
========== Driver Services (SafeList) ==========
 
DRV - [2009/12/16 16:27:00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16:26:58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/24 23:50:59 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 23:50:12 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 23:50:00 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 23:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 23:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 23:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/23 09:41:58 | 00,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/08/22 14:44:08 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsnmea.sys -- (zgwhsnmea)
DRV - [2008/08/22 14:43:44 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsmdm.sys -- (zgwhsmdm)
DRV - [2008/08/22 14:43:06 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsdiag.sys -- (zgwhsdiag)
DRV - [2008/04/25 11:26:32 | 00,002,397 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2008/04/13 10:21:50 | 00,017,920 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\Ntaccess.sys -- (NTACCESS)
DRV - [2008/03/21 20:30:04 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/02/25 08:44:38 | 01,172,504 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2008/02/25 08:44:22 | 00,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2008/02/25 08:44:08 | 00,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008/02/25 08:44:00 | 00,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008/02/25 08:43:56 | 00,127,000 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008/02/25 08:43:30 | 00,346,856 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2008/02/25 08:43:24 | 00,524,312 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008/02/25 08:43:16 | 00,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008/02/25 08:41:50 | 00,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2008/02/25 08:41:44 | 00,170,520 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2008/02/25 08:41:36 | 01,323,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2008/02/25 08:41:28 | 00,329,240 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2008/02/25 08:41:18 | 00,134,680 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2008/02/25 08:41:14 | 00,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2008/02/25 08:41:10 | 00,286,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2008/02/25 08:41:06 | 00,174,104 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2008/02/25 08:41:02 | 00,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2008/02/25 08:40:56 | 00,551,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2008/02/25 08:40:52 | 00,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2008/01/23 21:25:32 | 00,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2007/12/19 17:35:19 | 00,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/12/05 00:41:00 | 07,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/12 08:32:30 | 00,094,592 | R--- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/08/20 09:05:02 | 00,027,672 | R--- | M] (EnTech Taiwan) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Entech.sys -- (ENTECH)
DRV - [2007/07/27 11:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/09/06 13:37:22 | 00,062,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2003/09/06 12:27:06 | 00,004,832 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/09/06 12:25:52 | 00,051,744 | ---- | M] (Protection Technology) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2003/09/06 12:22:08 | 00,006,944 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prosync1.sys -- (prosync1)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: web@veoh.com:1.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 17:22:54 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/26 01:48:04 | 00,000,000 | ---D | M]
 
[2009/01/08 20:04:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions
[2009/10/29 19:37:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\extensions
[2009/12/28 23:16:07 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/29 03:08:04 | 00,132,528 | ---- | M] (NHN USA Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
[2008/09/10 07:39:42 | 00,075,184 | ---- | M] (NHN USA Inc. ) -- C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
[2008/04/28 20:46:51 | 00,151,552 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll
 

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #83 on: December 29, 2009, 04:58:49 PM »
 
O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKCU..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKCU..\Run: [oovoo.exe] C:\Program Files\ooVoo\oovoo.exe (ooVoo LLC)
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [Veoh] C:\Program Files\Veoh Networks\Veoh\VeohClient.exe (Veoh Networks)
O4 - HKCU..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)
O4 - Startup: C:\Documents and Settings\Mark\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/21 16:52:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/21 16:52:22 | 00,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*
 

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #84 on: December 29, 2009, 04:59:39 PM »

 
========== Files/Folders - Created Within 30 Days ==========
 
[2009/12/29 10:16:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/12/29 10:13:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
[2009/12/28 14:12:09 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ctfmon.exe
[2009/12/27 14:24:17 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/27 14:23:55 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/12/27 14:23:55 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/12/27 14:23:55 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/12/27 14:23:55 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/12/27 14:23:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/27 14:23:31 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/27 14:18:10 | 04,608,744 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Mark\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[2009/12/26 10:43:42 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2009/12/26 02:19:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/12/26 02:18:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\SUPERAntiSpyware.com
[2009/12/26 02:18:52 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/26 02:01:17 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/12/26 01:51:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/12/26 01:49:41 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Mark\Recent
[2009/12/26 01:48:04 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/26 01:48:04 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/26 01:48:04 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/26 01:48:04 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/26 01:48:04 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/26 01:47:50 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/12/26 01:47:18 | 16,672,544 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mark\Desktop\jre-6u17-windows-i586.exe
[2009/12/25 13:52:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\.kde
[2009/12/25 04:15:50 | 00,135,360 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Mark\Desktop\FixBlast.exe
[2009/12/20 12:09:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\My Documents\NeocoreGames
[2009/12/16 21:46:07 | 01,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2009/12/16 21:46:07 | 00,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2009/12/16 21:46:07 | 00,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2009/12/16 21:46:06 | 05,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2009/12/16 21:46:05 | 00,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2009/12/16 21:45:51 | 00,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2009/12/16 21:44:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\My Documents\Sparkplay Media
[2009/12/16 21:44:26 | 00,573,584 | ---- | C] (SparkPlay Media, Inc) -- C:\Documents and Settings\Mark\Desktop\SparkPlayerInstall.exe
[2009/12/09 15:38:57 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/12/04 05:32:04 | 01,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2009/12/04 05:32:04 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2009/12/02 23:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Local Settings\Application Data\Thunderbird
[2009/12/02 23:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\Thunderbird
[2009/12/02 23:10:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Gpg4win Documentation
[2009/12/02 23:09:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\gnupg
[2009/12/02 23:09:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\GNU
[2009/12/02 23:09:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\gnupg
[2009/12/02 23:09:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\GNU
[2009/12/02 23:09:24 | 00,000,000 | ---D | C] -- C:\Program Files\GNU
[2009/12/02 23:08:55 | 06,669,256 | ---- | C] (Mozilla) -- C:\Documents and Settings\Mark\Desktop\Thunderbird Setup 2.0.0.23.exe
[2009/12/02 22:46:46 | 36,557,658 | ---- | C] (g10 Code GmbH) -- C:\Documents and Settings\Mark\Desktop\gpg4win-2.0.1.exe
[2009/05/11 19:05:00 | 01,654,869 | ---- | C] (Dynu Systems Inc.) -- C:\Documents and Settings\All Users\Application Data\DynuEncrypt.dll
[2008/08/04 14:55:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/04/25 11:33:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2008/04/21 16:55:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/04/21 16:52:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/04/21 16:52:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/02/20 19:59:14 | 00,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #85 on: December 29, 2009, 05:00:47 PM »
 
========== Files - Modified Within 30 Days ==========
 
[2009/12/29 10:13:40 | 00,000,021 | ---- | M] () -- C:\WINDOWS\S.dirmngr
[2009/12/29 10:13:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/29 10:13:11 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/29 03:05:44 | 00,054,160 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/29 03:05:44 | 00,054,160 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/29 03:05:44 | 00,000,788 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/29 03:05:32 | 05,242,880 | -H-- | M] () -- C:\Documents and Settings\Mark\NTUSER.DAT
[2009/12/29 03:05:32 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Mark\ntuser.ini
[2009/12/28 23:28:59 | 00,000,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2009/12/28 23:08:07 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/28 14:23:49 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/27 20:45:36 | 00,102,660 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SystemLook.exe
[2009/12/27 14:24:23 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/12/27 14:11:14 | 04,608,744 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Mark\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[2009/12/26 23:31:44 | 03,866,444 | R--- | M] () -- C:\Documents and Settings\Mark\Desktop\ComboFix.exe
[2009/12/26 19:03:46 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\gmer.zip
[2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2009/12/26 02:21:14 | 04,910,518 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SASDEFINITIONS.EXE
[2009/12/26 02:18:55 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/26 02:13:16 | 02,386,270 | ---- | M] () -- C:\MGtools.exe
[2009/12/26 02:09:14 | 07,451,168 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SUPERAntiSpyware.exe
[2009/12/26 01:52:05 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/26 01:52:05 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/12/26 01:50:10 | 00,002,052 | ---- | M] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_015006.reg
[2009/12/26 01:47:55 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/26 01:47:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/26 01:47:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/26 01:47:55 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/26 01:47:54 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/26 01:46:20 | 16,672,544 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mark\Desktop\jre-6u17-windows-i586.exe
[2009/12/26 01:37:09 | 00,112,292 | ---- | M] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_013623.reg
[2009/12/25 04:07:52 | 00,135,360 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Mark\Desktop\FixBlast.exe
[2009/12/24 03:12:00 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/21 16:28:02 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/19 14:09:24 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/16 21:44:27 | 00,573,584 | ---- | M] (SparkPlay Media, Inc) -- C:\Documents and Settings\Mark\Desktop\SparkPlayerInstall.exe
[2009/12/15 11:24:48 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\gmer.exe
[2009/12/10 23:54:58 | 01,058,225 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\DBM-4.32-r2645-Core-and-WotLK-Mods.zip
[2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/12/07 17:46:59 | 00,001,622 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Left 4 Dead 2.lnk
[2009/12/06 06:06:45 | 00,002,193 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2009/12/04 06:33:26 | 00,000,024 | ---- | M] () -- C:\url_history.xml
[2009/12/04 06:11:01 | 00,000,104 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/03 05:01:00 | 00,007,227 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\RogueFocus.zip
[2009/12/02 23:10:04 | 06,669,256 | ---- | M] (Mozilla) -- C:\Documents and Settings\Mark\Desktop\Thunderbird Setup 2.0.0.23.exe
[2009/12/02 23:10:04 | 00,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Kleopatra.lnk
[2009/12/02 23:10:04 | 00,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GPA.lnk
[2009/12/02 22:47:39 | 36,557,658 | ---- | M] (g10 Code GmbH) -- C:\Documents and Settings\Mark\Desktop\gpg4win-2.0.1.exe
[2009/11/30 03:11:10 | 00,000,760 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Fantasy Grounds.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #86 on: December 29, 2009, 05:01:14 PM »
 
========== Files Created - No Company Name ==========
 
[2009/12/28 23:03:00 | 00,000,021 | ---- | C] () -- C:\WINDOWS\S.dirmngr
[2009/12/28 14:10:35 | 00,102,660 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SystemLook.exe
[2009/12/27 14:24:23 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/12/27 14:24:19 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/12/27 14:23:55 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/12/27 14:23:55 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/12/27 14:23:55 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/12/27 14:23:55 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/12/27 14:23:55 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/27 14:18:02 | 03,866,444 | R--- | C] () -- C:\Documents and Settings\Mark\Desktop\ComboFix.exe
[2009/12/26 19:56:11 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\gmer.exe
[2009/12/26 19:54:55 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\gmer.zip
[2009/12/26 02:23:22 | 04,910,518 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SASDEFINITIONS.EXE
[2009/12/26 02:18:55 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/26 02:17:46 | 02,386,270 | ---- | C] () -- C:\MGtools.exe
[2009/12/26 02:17:37 | 07,451,168 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SUPERAntiSpyware.exe
[2009/12/26 01:50:08 | 00,002,052 | ---- | C] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_015006.reg
[2009/12/26 01:36:27 | 00,112,292 | ---- | C] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_013623.reg
[2009/12/10 23:54:58 | 01,058,225 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\DBM-4.32-r2645-Core-and-WotLK-Mods.zip
[2009/12/07 17:46:59 | 00,001,622 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Left 4 Dead 2.lnk
[2009/12/03 05:00:59 | 00,007,227 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\RogueFocus.zip
[2009/12/02 23:10:04 | 00,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Kleopatra.lnk
[2009/12/02 23:10:04 | 00,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GPA.lnk
[2009/11/30 03:11:10 | 00,000,760 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Fantasy Grounds.lnk
[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/10/30 05:48:04 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/26 11:11:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/06/06 06:13:38 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\fusioncache.dat
[2009/02/20 09:52:15 | 00,069,024 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/02/20 00:26:19 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/02/05 13:24:45 | 00,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll
[2008/12/15 02:04:56 | 00,058,151 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUInstall.LiveUpdate
[2008/10/07 08:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/07/30 12:57:07 | 00,136,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/07/30 12:57:07 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\Mark\Application Data\PnkBstrK.sys
[2008/07/20 11:26:31 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/06/05 07:58:26 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/05/19 08:27:25 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/05/19 07:10:07 | 00,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2008/05/03 00:54:53 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/05/01 22:21:41 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/05/01 22:21:41 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/04/28 14:39:43 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/27 13:07:32 | 00,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/04/25 11:43:26 | 00,663,552 | ---- | C] () -- C:\WINDOWS\System32\libeay32_1-1-0_DDR.dll
[2008/04/25 11:43:26 | 00,532,594 | ---- | C] () -- C:\WINDOWS\System32\xerces-c_1_40_0_DDR.dll
[2008/04/25 11:43:26 | 00,307,329 | ---- | C] () -- C:\WINDOWS\System32\BJBase_2-2-2_DDR.dll
[2008/04/25 11:43:26 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32_1-1-0_DDR.dll
[2008/04/25 11:43:25 | 00,524,377 | ---- | C] () -- C:\WINDOWS\System32\stlport_4_0_0_DDR.dll
[2008/04/25 11:26:32 | 00,002,397 | ---- | C] () -- C:\WINDOWS\System32\drivers\symlcbrd.sys
[2008/04/22 11:28:21 | 00,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2008/04/22 11:20:09 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/03/31 21:25:46 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\divx_xx0a.dll
[2008/03/21 20:30:08 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/03/21 20:28:54 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/03/21 20:28:54 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/03/21 20:28:20 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/02/25 13:55:32 | 00,101,603 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/02/20 20:24:36 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/02/20 20:00:12 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008/01/31 16:18:14 | 00,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2007/12/05 00:41:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 00:41:00 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 00:41:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 00:41:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 00:41:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/08/13 19:45:02 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2006/10/02 16:25:18 | 00,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
< End of report >

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: new worm?, avast doesn' know it
« Reply #87 on: December 29, 2009, 06:41:25 PM »
Hi MarkWest,

Kaspersky detections are either files we have quarantined or old Restore points. These will be taken care of when we clean up the tools.

Kaspersky also found an Internet chat program, mIRC . It only flagged it as a risk.

Run this little fix. If everytthing seems fine, we'll clean up the tools when you post back.

Next, Double click on OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
  • Do Not copy the word CODE
  • please note the fix starts with the :
Code: [Select]
:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
[2009/12/25 04:15:50 | 00,135,360 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Mark\Desktop\FixBlast.exe

:Services

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe" =-
"C:\Program Files\DNA\btdna.exe"=-

:Files
C:\MGtools.exe
C:\Program Files\DNA

:Commands

Then click the Run Fix button at the top
  • Let the program run unhindered


Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #88 on: December 29, 2009, 06:54:36 PM »
Ya i use mirc and i realize it's there, i do not accept files on it, and all potentially dangerous files are on auto ignore, about to run the otl custom scan/fix

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #89 on: December 29, 2009, 06:55:57 PM »
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
C:\Documents and Settings\Mark\Desktop\FixBlast.exe moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\DNA\btdna.exe not found.
========== FILES ==========
C:\MGtools.exe moved successfully.
File\Folder C:\Program Files\DNA not found.
========== COMMANDS ==========
 
OTL by OldTimer - Version 3.1.20.1 log created on 12292009_175455

Here's the log of the fix oh and i removed dna myself with add/remove eariler so that might be why it cannot find it
« Last Edit: December 29, 2009, 06:59:52 PM by Markwest »