The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

About a worm "recycled/boot.com"

Posted 12/4/2008 6:27 PM
#69424
User avatar

Wello Member

Date Joined Nov 2016
Total Posts: 2
[black] [/black][2] [/2]
Hi, I would like to thank for your great effort with every one. I have a problem with a worm named "recycled\boot.com" and all drives D, H, G and also including drive C showed 2 strange folder and file. The folder named "recycled" and the file named autorun.inf. I got your advise to one of site visitor that complained by the same complaint where I had downloaded "comboFix.exe" and I had followed all the steps and all precautions you have mentioned. Now I am posting the log.txt to you.
Thanks alot

ComboFix 08-12-03.04 - Wael 2008-12-04 20:28:14.1 - [color=red]FAT32[/color]x86
Microsoft Windows XP Professional 5.1.2600.3.1256.965.1033.18.963 [GMT 3:00]
Running from: c:\documents and settings\Wael\Desktop\ComboFix.exe
* Created a new restore point

[COLOR=RED]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\resycled
c:\resycled\boot.com
c:\windows\system32\hpowiax7.dll
c:\windows\system32\kakle.dll
D:\resycled
d:\resycled\boot.com
G:\resycled
g:\resycled\boot.com
H:\Autorun.inf
H:\resycled
h:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 18:07 . 2008-12-04 18:07 d-------- c:\documents and settings\Wael\Application Data\Malwarebytes
2008-12-04 18:06 . 2008-12-04 18:06 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 18:06 . 2008-12-04 18:06 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 18:06 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 18:06 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 17:02 . 2008-12-04 17:02 d-------- c:\documents and settings\Administrator
2008-12-03 17:45 . 2008-12-03 17:45 d--h----- c:\windows\PIF
2008-12-02 19:52 . 2008-12-02 19:52 d--hs---- c:\documents and settings\Wael\PrivacIE
2008-12-02 02:07 . 2008-12-02 02:07 d-------- c:\program files\4shared Uploader
2008-12-02 02:07 . 2008-12-02 02:07 d-------- c:\documents and settings\Wael\Application Data\4shared Uploader
2008-11-30 20:23 . 2008-11-30 20:23 d-------- c:\windows\.jagex_cache_32
2008-11-30 20:23 . 2008-11-30 20:29 31 --a------ c:\documents and settings\Wael\jagex_runescape_preferences.dat
2008-11-30 20:22 . 2008-11-30 20:22 d-------- c:\windows\Sun
2008-11-30 19:12 . 2008-11-30 19:12 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-30 19:12 . 2008-11-30 19:12 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-30 15:38 . 2008-11-30 15:38 d-------- c:\program files\Windows Media Connect 2
2008-11-30 15:36 . 2008-11-30 15:36 d-------- c:\windows\system32\LogFiles
2008-11-30 15:36 . 2008-11-30 15:36 d-------- c:\windows\system32\drivers\UMDF
2008-11-28 15:32 . 2008-11-28 15:38 109,696 --a------ c:\windows\hpqins00.dat
2008-11-28 01:18 . 2008-11-28 01:18 d-------- c:\program files\HP
2008-11-26 22:36 . 2008-11-27 01:25 173,483 --------- c:\windows\hpoins28.dat.temp
2008-11-26 22:36 . 2007-12-13 03:01 932 --------- c:\windows\hpomdl28.dat.temp
2008-11-26 16:54 . 2008-11-26 16:54 d-------- c:\program files\RegCure
2008-11-22 20:56 . 2008-11-22 20:56 d-------- c:\program files\Common Files\Adobe AIR
2008-11-22 20:54 . 2008-11-22 20:55 d-------- c:\program files\Common Files\Adobe
2008-11-21 20:10 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-21 20:10 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\dllcache\hidusb.sys
2008-11-17 17:31 . 2008-04-14 00:50 361,344 --a------ c:\windows\system32\drivers\tcpip.sys.old
2008-11-16 03:21 . 2008-11-16 03:21 d-------- c:\program files\MSXML 4.0
2008-11-16 00:03 . 2008-11-16 00:03 d-------- c:\documents and settings\Wael\Application Data\Symantec
2008-11-16 00:00 . 2008-11-16 00:00 d-------- c:\program files\Windows Sidebar
2008-11-15 23:58 . 2008-11-15 23:58 d-------- c:\program files\Norton Internet Security
2008-11-15 23:57 . 2008-11-16 01:11 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-15 23:57 . 2008-11-16 01:11 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-15 23:57 . 2008-11-16 01:11 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-15 23:57 . 2008-11-16 01:11 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-11-14 16:49 . 2008-11-14 16:49 d-------- c:\documents and settings\Wael\Application Data\BitSpirit
2008-11-14 13:53 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-14 13:48 . 2008-11-14 13:48 d-------- c:\program files\Microsoft Works
2008-11-14 13:47 . 2008-11-14 13:47 d-------- c:\program files\Microsoft.NET
2008-11-14 13:38 . 2008-11-14 13:38 dr-h----- C:\MSOCache
2008-11-11 23:22 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-11 23:14 . 2008-11-11 23:14 d-------- c:\windows\ServicePackFiles
2008-11-11 23:14 . 2008-04-14 05:42 294,912 --------- c:\windows\system32\dllcache\dlimport.exe
2008-11-11 23:11 . 2006-12-29 00:31 19,569 --a------ c:\windows\003082_.tmp
2008-11-10 19:48 . 2008-11-10 19:48 d-------- c:\program files\QuickTime
2008-11-10 19:48 . 2008-11-10 19:48 d-------- c:\program files\Common Files\Apple
2008-11-10 19:44 . 2008-11-10 19:44 d-------- c:\program files\Apple Software Update
2008-11-10 19:44 . 2008-11-10 19:44 d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-10 19:35 . 2008-11-10 19:35 d-------- c:\documents and settings\Wael\Application Data\Apple Computer
2008-11-10 19:31 . 2008-11-10 19:31 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-10 19:31 . 2008-11-10 19:31 1,409 --a------ c:\windows\QTFont.for
2008-11-09 23:55 . 2008-08-14 13:04 138,496 --------- c:\windows\system32\dllcache\afd.sys
2008-11-09 23:51 . 2008-09-15 15:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-11-09 23:50 . 2008-08-14 13:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-09 23:50 . 2008-08-14 13:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-09 23:50 . 2008-08-14 12:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-09 23:50 . 2008-08-14 12:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-09 23:45 . 2008-05-08 17:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-11-09 23:42 . 2008-04-11 22:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-11-09 23:32 . 2008-11-09 23:32 d-------- c:\documents and settings\Wael\Application Data\skypePM
2008-11-09 23:32 . 2008-11-09 23:32 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-09 23:24 . 2008-11-09 23:24 d--hs---- C:\FOUND.000
2008-11-09 23:03 . 2008-11-09 23:03 d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-09 22:58 . 2008-11-09 22:58 d-------- c:\windows\ShellNew
2008-11-09 02:45 . 2008-11-09 22:59 376 --a------ c:\windows\ODBC.INI
2008-11-09 02:10 . 2008-11-09 02:10 d-------- c:\documents and settings\Wael\Application Data\Media Player Classic
2008-11-09 02:10 . 2008-11-09 02:10 d-------- c:\documents and settings\Wael\Application Data\DivX
2008-11-09 01:19 . 2008-11-09 01:19 d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-09 01:16 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-09 01:12 . 2008-11-09 01:12 d-------- c:\program files\RFA
2008-11-06 22:19 . 2008-11-06 22:19 d-------- c:\documents and settings\Wael\Application Data\HP
2008-11-06 22:15 . 2008-11-06 22:15 d-------- c:\documents and settings\All Users\Application Data\WEBREG
2008-11-06 22:13 . 2008-11-06 22:13 d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-11-06 22:13 . 2007-11-08 17:56 271,704 -ra------ c:\windows\system32\hpzids01.dll
2008-11-06 22:13 . 2007-10-20 18:25 118,272 --------- c:\windows\system32\hpz3l5mu.dll
2008-11-06 22:13 . 2007-10-30 12:25 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-11-06 22:13 . 2007-10-30 12:25 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-11-06 22:13 . 2007-10-30 12:25 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-11-06 22:12 . 2007-10-21 19:45 581,632 -ra------ c:\windows\system32\hpotscl6.dll
2008-11-06 22:12 . 2007-10-30 12:25 372,736 -ra------ c:\windows\system32\hppldcoi.dll
2008-11-06 22:12 . 2007-10-30 12:25 309,760 -ra------ c:\windows\system32\difxapi.dll
2008-11-06 22:12 . 2007-10-21 19:45 303,104 -ra------ c:\windows\system32\hpovst15.dll
2008-11-06 22:12 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-06 22:07 . 2008-11-06 22:07 d-------- c:\program files\Hewlett-Packard
2008-11-06 22:07 . 2008-11-06 22:07 d-------- c:\documents and settings\All Users\Application Data\HP
2008-11-06 22:06 . 2008-11-06 22:06 d-------- c:\program files\Common Files\HP
2008-11-06 22:06 . 2008-11-06 22:06 d-------- c:\program files\Common Files\Hewlett-Packard
2008-11-06 22:05 . 2008-11-06 22:05 d-------- c:\windows\system32\DRVSTORE
2008-11-06 22:04 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-06 22:01 . 2008-11-28 13:02 173,536 --a------ c:\windows\hpoins28.dat
2008-11-06 22:01 . 2007-12-13 03:01 932 --------- c:\windows\hpomdl28.dat
2008-11-06 21:58 . 2008-11-06 21:58 d-------- c:\program files\Secrecy File & Folder Hider
2008-11-06 21:58 . 1999-10-30 02:00 167,936 --a------ c:\windows\system32\ccrpftv6.ocx
2008-11-06 21:57 . 2008-11-06 21:57 d-------- c:\program files\K-Lite Codec Pack
2008-11-06 21:57 . 2008-11-06 21:57 d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-06 21:57 . 2007-01-20 21:26 1,565,480 --a------ c:\windows\system32\wmv9vcm.dll
2008-11-06 21:57 . 2006-11-01 14:52 765,952 --a------ c:\windows\system32\xvidcore.dll
2008-11-06 21:57 . 2006-11-01 14:54 180,224 --a------ c:\windows\system32\xvidvfw.dll
2008-11-06 21:57 . 2006-05-13 23:16 118,784 --a------ c:\windows\system32\ac3acm.acm
2008-11-06 21:57 . 2007-01-09 18:46 10,752 --a------ c:\windows\system32\ff_vfw.dll
2008-11-06 21:57 . 2005-02-24 18:56 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-06 21:56 . 2008-11-06 21:56 d-------- c:\program files\DivX
2008-11-06 21:56 . 2008-11-06 21:56 0 --a------ c:\windows\nsreg.dat
2008-11-06 21:54 . 2008-11-06 21:54 d-------- c:\windows\system32\RMBin
2008-11-06 21:54 . 2008-11-06 21:54 d-------- c:\program files\Real_SC
2008-11-06 21:54 . 2008-11-06 21:54 d-------- C:\Downloads
2008-11-06 21:54 . 2008-11-10 19:22 2,535,424 --a------ c:\windows\system32\agsaamj.dll
2008-11-06 21:54 . 2008-11-10 19:22 1,986,560 --a------ c:\windows\system32\akll.dll
2008-11-06 21:54 . 2008-11-10 19:22 1,245,184 --a------ c:\windows\system32\bkll.dll
2008-11-06 21:54 . 2008-11-10 19:22 1,212,416 --a------ c:\windows\system32\ckll.dll
2008-11-06 21:54 . 2008-11-10 19:22 610,304 --a------ c:\windows\system32\agsaamg.dll
2008-11-06 21:54 . 2008-11-06 21:54 372,736 --a------ c:\windows\system32\agsaamc.dll
2008-11-06 21:54 . 2008-11-10 19:22 196,608 --a------ c:\windows\system32\maag.dll
2008-11-06 21:54 . 2008-11-10 19:22 90,112 --a------ c:\windows\system32\agsaami.dll
2008-11-06 21:54 . 2008-11-06 21:54 53,760 --a------ c:\windows\system\ppacklib.dll
2008-11-06 21:53 . 2008-11-06 21:53 d-------- c:\program files\BitSpirit
2008-11-06 21:48 . 2008-11-06 21:48 d-------- c:\program files\Total Video Converter
2008-11-06 21:48 . 2008-11-06 21:48 d-------- c:\documents and settings\Wael\Application Data\Skype
2008-11-06 21:48 . 2000-05-22 22:58 608,448 --a------ c:\windows\system32\comctl32.ocx
2008-11-06 21:47 . 2008-11-06 21:47 d-------- c:\program files\Skype
2008-11-06 21:47 . 2008-11-06 21:47 d-------- c:\program files\Common Files\Skype
2008-11-06 21:46 . 2008-11-06 21:46 d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-06 21:44 . 2008-11-06 21:44 d-------- c:\documents and settings\All Users\Application Data\RFA_Backups
2008-11-06 21:39 . 2008-11-06 21:39 d-------- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 04:46 --------- d-----w c:\program files\microsoft frontpage
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2007-12-21 2573744]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-06 180269]
"rfagent"="c:\program files\RFA\rfagent.exe" [2007-12-04 916800]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-27 561213]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Secrecy File & Folder Hider]
--a------ 2006-10-11 18:13 49152 c:\program files\Secrecy File & Folder Hider\Secrethider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-25 149352]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-16 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{001792d1-b8b1-11dd-ad99-0002720939e5}]
\Shell\AutoRun\command - I:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{456b94a0-c147-11dd-adb6-0002720939e5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - i:\resycled\boot.com f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6adf3465-b7ef-11dd-ad97-80ac5f726381}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com h:
\Shell\Open\command - h:\resycled\boot.com h:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e723066-ae18-11dd-ad7b-0002720939e5}]
\Shell\AutoRun\command - c:\resycled\boot.com j:
\Shell\Open\command - c:\resycled\boot.com j:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{931c961e-ae13-11dd-ad79-0002720939e5}]
\Shell\AutoRun\command - c:\resycled\boot.com k:
\Shell\Open\command - c:\resycled\boot.com k:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5baf9f7-c173-11dd-adb8-0002720939e5}]
\Shell\AutoRun\command - I:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5baf9f8-c173-11dd-adb8-0002720939e5}]
\Shell\AutoRun\command - I:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5baf9f9-c173-11dd-adb8-0002720939e5}]
\Shell\AutoRun\command - I:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5baf9fa-c173-11dd-adb8-0002720939e5}]
\Shell\AutoRun\command - I:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3ef918c-abd3-11dd-b86c-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com d:
\Shell\Open\command - d:\resycled\boot.com d:

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-17 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Wael.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 04:19]

2008-12-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]

2008-12-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
uStart Page = hxxp://start.4shared.com/
mLocal Page = c:\windows\pchealth\helpctr\System\panels\blank.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FireFox -: Profile - c:\documents and settings\Wael\Application Data\Mozilla\Firefox\Profiles\8row27cb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.4shared.com/
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-12-04 20:30:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-04 20:30:55
ComboFix-quarantined-files.txt 2008-12-04 17:30:54

Pre-Run: 6,153,175,040 bytes free
Post-Run: 8,589,082,624 bytes free

295 --- E O F --- 2008-11-16 01:30:04
Posted 12/4/2008 8:02 PM
#69430
User avatar

Wello Member

Date Joined Nov 2016
Total Posts: 2
Thank you very very very much , you are wonderful , it works , it is removed , really it is removed I cant believe , I was about to do formatting and you save me a lot. Really you are genius. Thank you again and again.
Posted 12/6/2008 6:57 AM
#69492
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
That´s good news :smile:




It is still running fine ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Sunday, August 14, 2022, 12:05 PM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
36 Guest(s), 0 Registered Member(s) are currently online.