aj3816
2007-08-03, 02:21
ComboFix 07-08-03.2 - "Julie" 2007-08-02 16:57:24.1 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Julie\APPLIC~1\..\err.log>>d-delA.cf
C:\Program Files\Movie Maker\rteseri.html
C:\Program Files\MSN\mexo83122.dll
C:\WINDOWS\b104.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\DOWNLO~1\WinAntiSpyware2007FreeInstall.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\SYSTEM32\ehkmp.bak1
C:\WINDOWS\SYSTEM32\ehkmp.bak2
C:\WINDOWS\SYSTEM32\ehkmp.ini
C:\WINDOWS\system32\pejwbber.dll
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\qtolp.dll
C:\WINDOWS\system32\vjetwgvp.dll
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\xhelper.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Net Agent
((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))
2007-08-02 16:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 12:51 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-02 12:47 125,504 --a------ C:\WINDOWS\SYSTEM32\lygrgycu.dll
2007-08-02 09:46 169,147 --a------ C:\WINDOWS\TTC-4444.exe
2007-08-02 08:50 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-08-02 08:50 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-08-02 08:50 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-08-01 17:10 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-01 15:52 <DIR> d-------- C:\WINDOWS\provisioning
2007-08-01 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-08-01 14:40 <DIR> d-------- C:\DOCUME~1\Julie\APPLIC~1\MSN6
2007-08-01 14:03 <DIR> d-------- C:\WINDOWS\pss
2007-08-01 12:40 125,504 --a------ C:\WINDOWS\SYSTEM32\octolker.dll
2007-08-01 08:28 4,569 --a------ C:\WINDOWS\SYSTEM32\secupd.dat
2007-08-01 08:28 11,776 --a------ C:\WINDOWS\SYSTEM32\spnpinst.exe
2007-07-31 09:20 125,504 --a------ C:\WINDOWS\SYSTEM32\ggmsnafp.dll
2007-07-30 14:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-30 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 13:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 12:47 84,992 --a------ C:\WINDOWS\WebAssist.dll
2007-07-30 12:43 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-07-30 12:37 <DIR> d-------- C:\DOCUME~1\Julie\.housecall6.6
2007-07-30 11:10 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-30 09:32 <DIR> d--hs---- C:\WINDOWS\Sk9ZQ0UgQVJUSFVS
2007-07-30 09:20 126,016 --a------ C:\WINDOWS\SYSTEM32\pjnpccgx.dll
2007-07-24 14:56 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-07-24 14:56 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-07-24 14:56 <DIR> d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-07-24 14:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007
2007-07-24 14:54 <DIR> d-------- C:\Program Files\WinPop
2007-07-24 14:53 <DIR> d-------- C:\Program Files\Common Files\ąppPatch
2007-07-24 14:52 192,603 --a------ C:\WINDOWS\SYSTEM32\pwinkndt.exe
2007-07-24 14:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\??mbols
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\win
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T7
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T5
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T3
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T11
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T1
2007-07-24 14:51 <DIR> d-------- C:\Temp\tn3
2007-07-24 14:51 <DIR> d-------- C:\Temp\0c2
2007-07-24 14:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\b02FdUe
2007-07-24 14:50 <DIR> d-------- C:\Temp\brr
2007-07-24 14:50 <DIR> d-------- C:\Temp
2007-07-24 14:50 <DIR> d-------- C:\Program Files\??mantec
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-02 17:04 --------- d-------- C:\Program Files\Movie Maker
2007-08-02 08:37 --------- d-------- C:\Program Files\Messenger
2007-08-01 15:30 --------- d-------- C:\Program Files\Windows NT
2007-07-24 15:24 --------- d-------- C:\Program Files\??mantec
2007-07-24 14:53 --------- d-------- C:\Program Files\Common Files\?ppPatch
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-07-24 15:34 68216 --a------ C:\DOCUME~1\Julie\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-03-31 13:27 5448 --a------ C:\Program Files\serialnumbers.WS
2003-03-31 13:14 2252 --a------ C:\Program Files\delta_cyp.WS
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\Sk9ZQ0UgQVJUSFVS\m46tkXo0kpLomIpm.vbs
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ACA3F53-EB66-4CC6-921B-1889033BA80E}]
2007-08-02 06:43 282624 --a------ C:\Program Files\MSN\mexo4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-30 12:54 84992 --a------ C:\WINDOWS\WebAssist.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-01 13:02]
"OfficeScanNT Monitor"="C:\OfficeScan NT\pccntmon.exe" [2004-07-06 18:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 22:27]
"Regscan"="C:\WINDOWS\System32\regscan.exe" [2001-08-18 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Julie\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 07:02:02]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
DESKTOP.INI [2001-08-31 07:02:02]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\rteseri.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyyyv]
yayyyyv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Julie^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Julie\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Julie^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Julie\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhramvxA]
C:\WINDOWS\mhramvxA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"C:\OfficeScan NT\pccntmon.exe" -HideWindow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\System32\octolker.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D6-6A-A8-8F-ZN}]
C:\windows\system32\mjdsregq.exe SKY009
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Netlogon"=3 (0x3)
"Net Agent"=2 (0x2)
"MvWebServer"=2 (0x2)
"MvServer"=2 (0x2)
"gusvc"=3 (0x3)
"DomainService"=2 (0x2)
R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys
R2 ntrtscan;OfficeScanNT RealTime Scan;C:\OfficeScan NT\ntrtscan.exe
R2 pcscoax;3270 Coax Driver;C:\WINDOWS\system32\drivers\pcscoax.sys
R2 TmFilter;Trend Micro Filter;\??\C:\OfficeScan NT\TmXPFlt.sys
R2 tmlisten;OfficeScanNT Listener;C:\OfficeScan NT\tmlisten.exe
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\OfficeScan NT\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\OfficeScan NT\VSApiNt.sys
R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
Contents of the 'Scheduled Tasks' folder
2007-08-02 07:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 16:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-01 17:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-01 18:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 19:00:00 C:\WINDOWS\Tasks\At13.job
2007-08-02 20:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 21:00:02 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 22:00:01 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 23:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-03 00:00:03 C:\WINDOWS\Tasks\At18.job
2007-08-02 01:00:02 C:\WINDOWS\Tasks\At19.job
2007-08-02 08:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 02:00:02 C:\WINDOWS\Tasks\At20.job
2007-08-02 03:00:02 C:\WINDOWS\Tasks\At21.job
2007-08-02 04:00:00 C:\WINDOWS\Tasks\At22.job
2007-08-02 05:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-02 06:00:00 C:\WINDOWS\Tasks\At24.job
2007-08-02 09:00:00 C:\WINDOWS\Tasks\At3.job
2007-08-02 10:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 11:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 12:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 13:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 14:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 15:00:01 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-03 00:12:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 17:09:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000238
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-02 17:13:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 17:13
--- E O F ---
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Julie\APPLIC~1\..\err.log>>d-delA.cf
C:\Program Files\Movie Maker\rteseri.html
C:\Program Files\MSN\mexo83122.dll
C:\WINDOWS\b104.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\DOWNLO~1\WinAntiSpyware2007FreeInstall.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\SYSTEM32\ehkmp.bak1
C:\WINDOWS\SYSTEM32\ehkmp.bak2
C:\WINDOWS\SYSTEM32\ehkmp.ini
C:\WINDOWS\system32\pejwbber.dll
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\qtolp.dll
C:\WINDOWS\system32\vjetwgvp.dll
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\xhelper.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Net Agent
((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))
2007-08-02 16:54 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 12:51 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-02 12:47 125,504 --a------ C:\WINDOWS\SYSTEM32\lygrgycu.dll
2007-08-02 09:46 169,147 --a------ C:\WINDOWS\TTC-4444.exe
2007-08-02 08:50 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-08-02 08:50 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-08-02 08:50 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-08-01 17:10 <DIR> d-------- C:\WINDOWS\Prefetch
2007-08-01 15:52 <DIR> d-------- C:\WINDOWS\provisioning
2007-08-01 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-08-01 14:40 <DIR> d-------- C:\DOCUME~1\Julie\APPLIC~1\MSN6
2007-08-01 14:03 <DIR> d-------- C:\WINDOWS\pss
2007-08-01 12:40 125,504 --a------ C:\WINDOWS\SYSTEM32\octolker.dll
2007-08-01 08:28 4,569 --a------ C:\WINDOWS\SYSTEM32\secupd.dat
2007-08-01 08:28 11,776 --a------ C:\WINDOWS\SYSTEM32\spnpinst.exe
2007-07-31 09:20 125,504 --a------ C:\WINDOWS\SYSTEM32\ggmsnafp.dll
2007-07-30 14:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-30 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 13:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 12:47 84,992 --a------ C:\WINDOWS\WebAssist.dll
2007-07-30 12:43 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-07-30 12:37 <DIR> d-------- C:\DOCUME~1\Julie\.housecall6.6
2007-07-30 11:10 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-30 09:32 <DIR> d--hs---- C:\WINDOWS\Sk9ZQ0UgQVJUSFVS
2007-07-30 09:20 126,016 --a------ C:\WINDOWS\SYSTEM32\pjnpccgx.dll
2007-07-24 14:56 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-07-24 14:56 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-07-24 14:56 <DIR> d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-07-24 14:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007
2007-07-24 14:54 <DIR> d-------- C:\Program Files\WinPop
2007-07-24 14:53 <DIR> d-------- C:\Program Files\Common Files\ąppPatch
2007-07-24 14:52 192,603 --a------ C:\WINDOWS\SYSTEM32\pwinkndt.exe
2007-07-24 14:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\??mbols
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\win
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T7
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T5
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T3
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T11
2007-07-24 14:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T1
2007-07-24 14:51 <DIR> d-------- C:\Temp\tn3
2007-07-24 14:51 <DIR> d-------- C:\Temp\0c2
2007-07-24 14:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\b02FdUe
2007-07-24 14:50 <DIR> d-------- C:\Temp\brr
2007-07-24 14:50 <DIR> d-------- C:\Temp
2007-07-24 14:50 <DIR> d-------- C:\Program Files\??mantec
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-02 17:04 --------- d-------- C:\Program Files\Movie Maker
2007-08-02 08:37 --------- d-------- C:\Program Files\Messenger
2007-08-01 15:30 --------- d-------- C:\Program Files\Windows NT
2007-07-24 15:24 --------- d-------- C:\Program Files\??mantec
2007-07-24 14:53 --------- d-------- C:\Program Files\Common Files\?ppPatch
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-07-24 15:34 68216 --a------ C:\DOCUME~1\Julie\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-03-31 13:27 5448 --a------ C:\Program Files\serialnumbers.WS
2003-03-31 13:14 2252 --a------ C:\Program Files\delta_cyp.WS
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\Sk9ZQ0UgQVJUSFVS\m46tkXo0kpLomIpm.vbs
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ACA3F53-EB66-4CC6-921B-1889033BA80E}]
2007-08-02 06:43 282624 --a------ C:\Program Files\MSN\mexo4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-30 12:54 84992 --a------ C:\WINDOWS\WebAssist.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-01 13:02]
"OfficeScanNT Monitor"="C:\OfficeScan NT\pccntmon.exe" [2004-07-06 18:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 22:27]
"Regscan"="C:\WINDOWS\System32\regscan.exe" [2001-08-18 05:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Julie\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 07:02:02]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
DESKTOP.INI [2001-08-31 07:02:02]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\rteseri.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyyyv]
yayyyyv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Julie^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Julie\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Julie^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Julie\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhramvxA]
C:\WINDOWS\mhramvxA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"C:\OfficeScan NT\pccntmon.exe" -HideWindow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\System32\octolker.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{D6-6A-A8-8F-ZN}]
C:\windows\system32\mjdsregq.exe SKY009
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Netlogon"=3 (0x3)
"Net Agent"=2 (0x2)
"MvWebServer"=2 (0x2)
"MvServer"=2 (0x2)
"gusvc"=3 (0x3)
"DomainService"=2 (0x2)
R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys
R2 ntrtscan;OfficeScanNT RealTime Scan;C:\OfficeScan NT\ntrtscan.exe
R2 pcscoax;3270 Coax Driver;C:\WINDOWS\system32\drivers\pcscoax.sys
R2 TmFilter;Trend Micro Filter;\??\C:\OfficeScan NT\TmXPFlt.sys
R2 tmlisten;OfficeScanNT Listener;C:\OfficeScan NT\tmlisten.exe
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\OfficeScan NT\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\OfficeScan NT\VSApiNt.sys
R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
Contents of the 'Scheduled Tasks' folder
2007-08-02 07:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 16:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-01 17:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-01 18:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 19:00:00 C:\WINDOWS\Tasks\At13.job
2007-08-02 20:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 21:00:02 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 22:00:01 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 23:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-03 00:00:03 C:\WINDOWS\Tasks\At18.job
2007-08-02 01:00:02 C:\WINDOWS\Tasks\At19.job
2007-08-02 08:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 02:00:02 C:\WINDOWS\Tasks\At20.job
2007-08-02 03:00:02 C:\WINDOWS\Tasks\At21.job
2007-08-02 04:00:00 C:\WINDOWS\Tasks\At22.job
2007-08-02 05:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-02 06:00:00 C:\WINDOWS\Tasks\At24.job
2007-08-02 09:00:00 C:\WINDOWS\Tasks\At3.job
2007-08-02 10:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 11:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 12:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 13:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 14:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-02 15:00:01 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\System32\2BuaAgU2.exe
2007-08-03 00:12:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 17:09:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000238
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-02 17:13:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 17:13
--- E O F ---