hightechenvy
2007-11-09, 03:21
I need some help in detecting what is going on with my system. Spybot is says Virtumonde. Below are the HJT log and a combofix log. Also if someone could explain to me what files you look for in these logs I would be greatly appreciative. Or what exactly you look for?
ComboFix 07-11-07.4 - Home 2007-11-09 5:04:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1635 [GMT -8:00]
Running from: C:\Documents and Settings\Home\Desktop\Virus Removal\whatever.exe.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\2.tmp
C:\4.tmp
C:\6.tmp
C:\B.tmp
C:\D.tmp
C:\F.tmp
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\System32\ddaby.dll
C:\WINDOWS\system32\eaoptxym.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
.
---- Previous Run -------
.
C:\2.tmp
C:\4.tmp
C:\6.tmp
C:\B.tmp
C:\D.tmp
C:\F.tmp
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\eaoptxym.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.
2007-11-09 04:58 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 05:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-11-07 05:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 17:10 159,296 --a------ C:\WINDOWS\system32\jgkdnarm.dll
2007-11-06 17:07 85,568 --a------ C:\WINDOWS\system32\asstgtkb.dll
2007-11-06 04:56 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-06 04:56 <DIR> d-------- C:\Temp\mZOr
2007-11-06 04:56 <DIR> d-------- C:\Temp
2007-11-06 04:56 36,352 --a------ C:\WINDOWS\system32\opnlkjg.dll
2007-11-01 20:46 184,320 --a------ C:\WINDOWS\system32\JegIUuMM.dll
2007-10-31 17:54 <DIR> d-------- C:\Program Files\PRTG Traffic Grapher
2007-10-31 13:03 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2007-10-30 17:25 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Hewlett-Packard
2007-10-28 19:54 184,320 --a------ C:\WINDOWS\system32\px43e3SQ.dll
2007-10-20 19:56 <DIR> d-------- C:\Documents and Settings\Home\Application Data\eBookPro6
2007-10-18 17:15 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-18 17:15 20,480 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-18 17:15 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-18 17:15 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-16 20:14 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-10-11 17:48 <DIR> d-------- C:\Program Files\Extreme Units Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 13:12 1,876,820 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity
2007-11-06 16:43 --------- d-----w C:\Documents and Settings\Home\Application Data\CoreFTP
2007-11-06 15:51 1,876,402 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak1
2007-11-04 01:44 693,414 ----a-w C:\WINDOWS\system32\drivers\VirusSignatures.nx
2007-11-04 01:44 28,655,196 ----a-w C:\WINDOWS\system32\drivers\VirusSignatures
2007-11-04 01:44 186,482 ----a-w C:\WINDOWS\system32\drivers\AllowSignatures
2007-11-03 06:10 1,876,250 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak3
2007-11-01 01:54 1,876,098 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak2
2007-10-31 01:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-29 20:40 --------- d-----w C:\Documents and Settings\Home\Application Data\AdobeUM
2007-10-23 04:12 23,040 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys
2007-10-23 04:12 113,152 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys
2007-10-18 13:48 210,232 ----a-w C:\WINDOWS\system32\salsp.dll
2007-10-17 04:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 03:50 8,704 ----a-w C:\sysymot.exe
2007-09-29 06:14 --------- d-----w C:\Program Files\iTunes
2007-09-29 06:14 --------- d-----w C:\Program Files\iPod
2007-09-29 06:14 --------- d-----w C:\Documents and Settings\Home\Application Data\Apple Computer
2007-09-29 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-29 06:13 --------- d-----w C:\Program Files\QuickTime
2007-09-29 06:13 --------- d-----w C:\Program Files\Apple Software Update
2007-09-29 06:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-18 00:45 --------- d-----w C:\Program Files\Canon
2007-09-14 04:03 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-09-14 04:03 --------- d-----w C:\Documents and Settings\Home\Application Data\Share-to-Web Upload Folder
2007-09-14 04:02 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-09-14 03:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-12 03:30 --------- d-----w C:\Program Files\Common Files\WexTech Shared
2007-09-12 03:30 --------- d-----w C:\Program Files\Common Files\LHSPF
2007-09-12 03:29 --------- d-----w C:\Program Files\Intuit
2007-09-05 05:57 13 ---h--w C:\Documents and Settings\All Users\Application Data\ÐÒÝÃÄ3113›.sys
2007-09-04 03:16 1,385,744 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-09-01 06:06 81 ----a-w C:\CTX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-06 04:56 36352 --a------ C:\WINDOWS\System32\opnlkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-11-01 20:46 184320 --a------ C:\WINDOWS\System32\JegIUuMM.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3A490EA-C947-4EE9-B751-A7D689472E24}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 11:08]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 09:22]
"nwiz"="nwiz.exe" [2006-10-22 09:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 09:22]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 01:56 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 00:00]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 13:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 13:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-20 13:15]
"SecurityAgentTray"="C:\Program Files\Lightspeed Systems\SecurityAgent\satray.exe" [2007-10-18 05:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 09:42]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"d04a9236"="C:\WINDOWS\System32\asstgtkb.dll" [2007-11-06 17:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"WIAWizardMenu"=RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-29 18:34:46]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-03 19:20:37]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [2007-09-01 19:47:07]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\System32\opnlkjg.dll [2007-11-06 04:56 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlkjg]
opnlkjg.dll 2007-11-06 04:56 36352 C:\WINDOWS\system32\opnlkjg.dll
R1 IpmSecurityAgent1;Security Agent Filter Driver;C:\WINDOWS\System32\drivers\IpmSecurityAgent1.sys
R1 IpmSecurityAgent2;Security Agent Driver;C:\WINDOWS\System32\drivers\IpmSecurityAgent2.sys
R2 IpmSecurityAgentService;Security Agent Service;C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
R2 iSMBIOS;iSMBIOS;\??\C:\WINDOWS\System32\drivers\iSMBIOS.SYS
R2 PRTGService;PRTG Service;C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
R2 SIODRV;SIODRV;\??\C:\WINDOWS\System32\drivers\SIODRV.SYS
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\System32\DRIVERS\smb.sys
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 08:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 17:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 18:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-11-08 19:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 20:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 21:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 22:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 23:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 00:00:00 C:\WINDOWS\Tasks\At17.job"
"2007-11-09 01:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 02:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 09:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 03:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 04:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 05:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 06:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 07:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-11-09 10:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 11:00:00 C:\WINDOWS\Tasks\At4.job"
"2007-11-09 12:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 13:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 14:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 15:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 16:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-10-19 04:51:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY38E110GZK5.job"
"2007-11-09 09:46:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 05:10:19
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???p???w^?s?????>?wH ?w???????w*??w4???U??w4???????D8?s4????????&2?????\???\????????H?s????K:?w?????T?w)U?w\???\???????`?a??????C@?\???\??????s????\??????s\????&2?d??s?&2??C@?x??????sx????;?w\?????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-09 5:10:58 - machine was rebooted
.
--- E O F ---
ComboFix 07-11-07.4 - Home 2007-11-09 5:04:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1635 [GMT -8:00]
Running from: C:\Documents and Settings\Home\Desktop\Virus Removal\whatever.exe.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\2.tmp
C:\4.tmp
C:\6.tmp
C:\B.tmp
C:\D.tmp
C:\F.tmp
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\System32\ddaby.dll
C:\WINDOWS\system32\eaoptxym.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
.
---- Previous Run -------
.
C:\2.tmp
C:\4.tmp
C:\6.tmp
C:\B.tmp
C:\D.tmp
C:\F.tmp
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\eaoptxym.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.
2007-11-09 04:58 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 05:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-11-07 05:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 17:10 159,296 --a------ C:\WINDOWS\system32\jgkdnarm.dll
2007-11-06 17:07 85,568 --a------ C:\WINDOWS\system32\asstgtkb.dll
2007-11-06 04:56 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-06 04:56 <DIR> d-------- C:\Temp\mZOr
2007-11-06 04:56 <DIR> d-------- C:\Temp
2007-11-06 04:56 36,352 --a------ C:\WINDOWS\system32\opnlkjg.dll
2007-11-01 20:46 184,320 --a------ C:\WINDOWS\system32\JegIUuMM.dll
2007-10-31 17:54 <DIR> d-------- C:\Program Files\PRTG Traffic Grapher
2007-10-31 13:03 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2007-10-30 17:25 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Hewlett-Packard
2007-10-28 19:54 184,320 --a------ C:\WINDOWS\system32\px43e3SQ.dll
2007-10-20 19:56 <DIR> d-------- C:\Documents and Settings\Home\Application Data\eBookPro6
2007-10-18 17:15 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-18 17:15 20,480 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-18 17:15 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-18 17:15 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-16 20:14 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-10-11 17:48 <DIR> d-------- C:\Program Files\Extreme Units Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 13:12 1,876,820 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity
2007-11-06 16:43 --------- d-----w C:\Documents and Settings\Home\Application Data\CoreFTP
2007-11-06 15:51 1,876,402 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak1
2007-11-04 01:44 693,414 ----a-w C:\WINDOWS\system32\drivers\VirusSignatures.nx
2007-11-04 01:44 28,655,196 ----a-w C:\WINDOWS\system32\drivers\VirusSignatures
2007-11-04 01:44 186,482 ----a-w C:\WINDOWS\system32\drivers\AllowSignatures
2007-11-03 06:10 1,876,250 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak3
2007-11-01 01:54 1,876,098 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak2
2007-10-31 01:20 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-29 20:40 --------- d-----w C:\Documents and Settings\Home\Application Data\AdobeUM
2007-10-23 04:12 23,040 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys
2007-10-23 04:12 113,152 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys
2007-10-18 13:48 210,232 ----a-w C:\WINDOWS\system32\salsp.dll
2007-10-17 04:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 03:50 8,704 ----a-w C:\sysymot.exe
2007-09-29 06:14 --------- d-----w C:\Program Files\iTunes
2007-09-29 06:14 --------- d-----w C:\Program Files\iPod
2007-09-29 06:14 --------- d-----w C:\Documents and Settings\Home\Application Data\Apple Computer
2007-09-29 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-29 06:13 --------- d-----w C:\Program Files\QuickTime
2007-09-29 06:13 --------- d-----w C:\Program Files\Apple Software Update
2007-09-29 06:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-18 00:45 --------- d-----w C:\Program Files\Canon
2007-09-14 04:03 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-09-14 04:03 --------- d-----w C:\Documents and Settings\Home\Application Data\Share-to-Web Upload Folder
2007-09-14 04:02 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-09-14 03:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-12 03:30 --------- d-----w C:\Program Files\Common Files\WexTech Shared
2007-09-12 03:30 --------- d-----w C:\Program Files\Common Files\LHSPF
2007-09-12 03:29 --------- d-----w C:\Program Files\Intuit
2007-09-05 05:57 13 ---h--w C:\Documents and Settings\All Users\Application Data\ÐÒÝÃÄ3113›.sys
2007-09-04 03:16 1,385,744 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-09-01 06:06 81 ----a-w C:\CTX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-06 04:56 36352 --a------ C:\WINDOWS\System32\opnlkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-11-01 20:46 184320 --a------ C:\WINDOWS\System32\JegIUuMM.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3A490EA-C947-4EE9-B751-A7D689472E24}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 11:08]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 09:22]
"nwiz"="nwiz.exe" [2006-10-22 09:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 09:22]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 01:56 C:\WINDOWS\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 00:00]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 13:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 13:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-20 13:15]
"SecurityAgentTray"="C:\Program Files\Lightspeed Systems\SecurityAgent\satray.exe" [2007-10-18 05:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 09:42]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"d04a9236"="C:\WINDOWS\System32\asstgtkb.dll" [2007-11-06 17:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"WIAWizardMenu"=RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-29 18:34:46]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-03 19:20:37]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [2007-09-01 19:47:07]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\System32\opnlkjg.dll [2007-11-06 04:56 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlkjg]
opnlkjg.dll 2007-11-06 04:56 36352 C:\WINDOWS\system32\opnlkjg.dll
R1 IpmSecurityAgent1;Security Agent Filter Driver;C:\WINDOWS\System32\drivers\IpmSecurityAgent1.sys
R1 IpmSecurityAgent2;Security Agent Driver;C:\WINDOWS\System32\drivers\IpmSecurityAgent2.sys
R2 IpmSecurityAgentService;Security Agent Service;C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
R2 iSMBIOS;iSMBIOS;\??\C:\WINDOWS\System32\drivers\iSMBIOS.SYS
R2 PRTGService;PRTG Service;C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
R2 SIODRV;SIODRV;\??\C:\WINDOWS\System32\drivers\SIODRV.SYS
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\System32\DRIVERS\smb.sys
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 08:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 17:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 18:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-11-08 19:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 20:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 21:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 22:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 23:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 00:00:00 C:\WINDOWS\Tasks\At17.job"
"2007-11-09 01:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 02:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 09:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 03:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 04:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 05:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 06:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 07:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-11-09 10:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 11:00:00 C:\WINDOWS\Tasks\At4.job"
"2007-11-09 12:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-09 13:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 14:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 15:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-11-08 16:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\50MW47fr.exe
"2007-10-19 04:51:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY38E110GZK5.job"
"2007-11-09 09:46:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 05:10:19
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???p???w^?s?????>?wH ?w???????w*??w4???U??w4???????D8?s4????????&2?????\???\????????H?s????K:?w?????T?w)U?w\???\???????`?a??????C@?\???\??????s????\??????s\????&2?d??s?&2??C@?x??????sx????;?w\?????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-09 5:10:58 - machine was rebooted
.
--- E O F ---