-
Hi Shaba,
ComboFix is very impressive. It ran just as described in the instructions. I believe this may have removed Virtumundo for good.
I had a few files which I just could not shake:
1. C:\WINDOWS\system32\pmnoOFwU.dll
2. C:\WINDOWS\system32\urqOGWOF.dll
3. C:\WINDOWS\system32\FOWGOqru.ini
urqFOWGO.dll was attached to the following processes:
1. lsass.exe
2. explorer.exe
There has also a BHO referencing one of the above files, which I could not get rid of. I ran Spybot SD, and checked for those files in the BHO, Process List, and System Startup. They're now gone.
Shaba, thanks a lot for your help. Please let me know if you see anything else in the logs below:
HJT LOG #2
========================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:56 AM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\rad3tech.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://server/traxter/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://housecall65.trendmicro.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html
--
End of file - 6717 bytes
========================================================
COMBOFIX LOG ============================================
========================================================
ComboFix 08-07-21.2 - Administrator 2008-07-30 1:31:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.162 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\windows
C:\Program Files\windows\System32\Resources\1033\sqldmo.rll
C:\Program Files\windows\System32\Resources\1033\sqlsvc.rll
C:\Program Files\windows\System32\sqldmo.dll
C:\Program Files\windows\System32\sqlresld.dll
C:\Program Files\windows\System32\sqlsvc.dll
C:\Program Files\windows\System32\w95scm.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abcfgk.dll
C:\WINDOWS\system32\aefaqjlx.ini
C:\WINDOWS\system32\bhrqbvtm.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cmdbdufe.dll
C:\WINDOWS\system32\djsdmobr.ini
C:\WINDOWS\system32\dvgrny.dll
C:\WINDOWS\system32\efudbdmc.ini
C:\WINDOWS\system32\eilackvv.dll
C:\WINDOWS\system32\emteuarl.ini
C:\WINDOWS\system32\fgfukwdm.ini
C:\WINDOWS\system32\FOWGOqru.ini
C:\WINDOWS\system32\FOWGOqru.ini2
C:\WINDOWS\system32\frcglkve.dll
C:\WINDOWS\system32\fxgcibfm.dll
C:\WINDOWS\system32\hbsuqejj.dll
C:\WINDOWS\system32\hifiruqn.ini
C:\WINDOWS\system32\idiejpny.dll
C:\WINDOWS\system32\iparhpej.dll
C:\WINDOWS\system32\jalinj.dll
C:\WINDOWS\system32\jhecsgdc.dll
C:\WINDOWS\system32\kbznnv.dll
C:\WINDOWS\system32\kenmyxvc.dll
C:\WINDOWS\system32\kpepdl.dll
C:\WINDOWS\system32\kwumorwf.ini
C:\WINDOWS\system32\ldlxbvls.ini
C:\WINDOWS\system32\ltlznb.dll
C:\WINDOWS\system32\mbxaqhgw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdwkufgf.dll
C:\WINDOWS\system32\mkadpovw.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mtvbqrhb.ini
C:\WINDOWS\system32\niioajxt.dll
C:\WINDOWS\system32\oechxg.dll
C:\WINDOWS\system32\otegpahl.dll
C:\WINDOWS\system32\rbomdsjd.dll
C:\WINDOWS\system32\rqlwgcpt.ini
C:\WINDOWS\system32\saddgymg.dll
C:\WINDOWS\system32\slvbxldl.dll
C:\WINDOWS\system32\svvpdhxo.dll
C:\WINDOWS\system32\tlkelsui.dll
C:\WINDOWS\system32\tmbkkmrd.dll
C:\WINDOWS\system32\urqOGWOF.dll
C:\WINDOWS\system32\uskgmrmx.dll
C:\WINDOWS\system32\vkqcwy.dll
C:\WINDOWS\system32\vuppjduk.dll
C:\WINDOWS\system32\wnbvyxly.dll
C:\WINDOWS\system32\wvopdakm.dll
C:\WINDOWS\system32\ynpjeidi.ini
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.
2008-07-26 20:40 . 2008-07-26 20:40 105,472 --a------ C:\WINDOWS\system32\waodfr.dll
2008-07-26 20:40 . 2008-07-26 20:40 105,472 --a------ C:\WINDOWS\system32\kfigpiwb.dll
2008-07-26 20:40 . 2008-07-26 20:40 83,456 --a------ C:\WINDOWS\system32\xljqafea.dll
2008-07-26 14:36 . 2008-07-26 14:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 23:13 . 2008-07-25 23:13 95 --a------ C:\WINDOWS\wininit.ini
2008-07-25 20:48 . 2008-07-25 20:48 105,472 --a------ C:\WINDOWS\system32\ikdbuz.dll
2008-07-25 20:48 . 2008-07-25 20:48 105,472 --a------ C:\WINDOWS\system32\hiyqapqq.dll
2008-07-25 20:45 . 2008-07-25 20:45 83,456 --a------ C:\WINDOWS\system32\lrauetme.dll
2008-07-25 16:45 . 2008-07-25 16:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 16:45 . 2008-07-25 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 21:04 . 2008-07-24 21:03 105,472 --a------ C:\WINDOWS\system32\usnwtc.dll
2008-07-24 21:03 . 2008-07-24 21:03 105,472 --a------ C:\WINDOWS\system32\tspdbdwb.dll
2008-07-24 20:59 . 2008-07-24 20:59 83,456 --a------ C:\WINDOWS\system32\nqurifih.dll
2008-07-16 18:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-16 18:01 . 2008-07-16 18:01 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-07-16 13:57 . 2008-07-16 13:57 <DIR> d-------- C:\Program Files\Panda Security
2008-07-16 09:07 . 2008-07-16 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-15 23:23 . 2008-07-16 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-07-13 23:43 . 2008-07-16 18:01 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-13 09:49 . 2008-07-13 09:52 <DIR> d-------- C:\WINDOWS\system32\olixds01
2008-07-13 09:49 . 2008-07-13 09:49 <DIR> d-------- C:\Temp\stmpv4
2008-07-13 09:49 . 2008-07-13 09:49 <DIR> d-------- C:\Temp
2008-06-30 16:27 . 2008-06-30 16:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-30 16:27 . 2008-06-30 16:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-16 20:29 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Ipswitch
2008-06-03 15:43 . 2008-06-03 15:43 173 --a------ C:\WINDOWS\hpbafd.ini
2008-06-03 15:41 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\apftq10\Bluetooth Software
2008-06-03 15:41 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Lavasoft
2008-06-03 15:40 . 2008-06-03 15:40 <DIR> d--h----- C:\Documents and Settings\apftq10\WLANProfiles
2008-06-03 15:40 . 2007-12-19 19:34 17,920 --a------ C:\Documents and Settings\apftq10\Application Data\GDIPFONTCACHEV1.DAT
2008-06-03 15:39 . 2008-05-15 16:51 <DIR> d--h----- C:\Documents and Settings\apftq10\Voisinage r‚seau
2008-06-03 15:39 . 2005-06-24 13:38 <DIR> d--h----- C:\Documents and Settings\apftq10\Voisinage d'impression
2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d--hs---- C:\Documents and Settings\apftq10\UserData
2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d--h----- C:\Documents and Settings\apftq10\ModŠles
2008-06-03 15:39 . 2008-04-30 12:18 <DIR> d-------- C:\Documents and Settings\apftq10\Mes documents
2008-06-03 15:39 . 2008-04-30 12:18 <DIR> dr------- C:\Documents and Settings\apftq10\Menu D‚marrer
2008-06-03 15:39 . 2008-06-03 15:41 <DIR> dr------- C:\Documents and Settings\apftq10\Favoris
2008-06-03 15:39 . 2008-06-03 15:49 <DIR> d-------- C:\Documents and Settings\apftq10\Bureau
2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Leadertech
2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\InstallShield
2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\HotSync
2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\CyberLink
2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\ATI
2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Arcsoft
2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\Apple Computer
2008-06-03 15:39 . 2008-04-30 12:17 <DIR> d-------- C:\Documents and Settings\apftq10\Application Data\AdobeUM
2008-06-03 15:39 . 2008-06-03 16:09 <DIR> d-------- C:\Documents and Settings\apftq10
2008-06-02 16:28 . 2008-06-02 16:28 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-06-02 16:28 . 2008-06-02 16:28 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-06-02 16:27 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-06-02 09:27 . 2008-06-02 09:27 <DIR> d-------- C:\Program Files\Microsoft Visual SourceSafe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 19:19 187,888 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-07-14 03:37 --------- d-----w C:\Program Files\Dl_cats
2008-06-14 01:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 13:26 --------- d-----w C:\Program Files\Microsoft Visual Studio .NET 2003
2008-06-06 13:25 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-06-06 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-01 19:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2006-10-23 04:18 563,712 ----a-w C:\Documents and Settings\Administrator\gotomypc_370.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe" [2004-06-17 12:12 409664]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2004-05-24 15:59 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2004-09-16 16:15 538112]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 08:10 81990]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50 33792]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 14:38 69632]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
BTTray.lnk - C:\Program Files\Dell\Bluetooth Software\BTTray.exe [2004-04-26 17:13:54 561213]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Administrator\My Documents\My Webs\Active Desktop\rain.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-06-17 12:14 180290 C:\WINDOWS\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-602162358-725345543-1175\Scripts\Logon\0\0]
"Script"=map.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Wise-FTP Scheduler"=
"DLCCCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"mmtask"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dlcccoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlccPSWX.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2002-12-24 19:52]
R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2005-01-31 00:49]
S3 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\CFusionMX\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent []
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;C:\WINDOWS\system32\Drivers\FTD2XX.sys [2005-12-15 15:27]
S3 kazoo;Kazoo.sys Kazoo Device driver;C:\WINDOWS\system32\Drivers\Kazoo.sys [2002-05-08 11:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-11-22 20:01]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 04:44]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 08:01]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a351754e-cf48-11dc-8ce0-da30a7d0d9f3}]
\Shell\AutoRun\command - E:\FOM07.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef45020-edc1-11d9-8c27-000f1f4312e0}]
\Shell\AutoRun\command - D:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff7b9f3c-47fc-11db-8c85-000f1f4312e0}]
\Shell\AutoRun\command - D:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MétéoIMédia - C:\program files\MétéoMédia\MétéoIMédia\WeatherEye.exe
HKLM-Run-mmtask - C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
HKLM-Run-Wise-FTP Scheduler - (no file)
HKLM-RunOnce-dlccUninstallerRan - (no file)
ShellExecuteHooks-{82336A8D-6CD0-4647-B791-75FCA8CF2B39} - C:\WINDOWS\system32\pmnoOFwU.dll
Notify-pmnoOFwU - pmnoOFwU.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://server/traxter/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O17 -: HKLM\CCS\Interface\{09C4B1C0-567F-4806-95D6-8591F403C937}: NameServer = 66.49.220.95,67.55.0.11
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 02:10:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-07-30 2:18:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-30 06:18:36
Pre-Run: 21,760,176,128 bytes free
Post-Run: 21,646,348,288 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
289 --- E O F --- 2008-06-20 15:14:54
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
