gr33nhorn
2008-03-25, 15:25
it keeps reappearing plus somemalware trys to connect to internet via iexplorer
combofix log
ComboFix 08-03-24.1 - Shashank 2008-03-25 10:04:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.546 [GMT 5.5:30]
Running from: C:\Documents and Settings\Shashank\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\llnmp.ini2
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.
2008-03-24 22:34 . 2008-03-24 22:48 <DIR> d-------- C:\pebuilder3110a
2008-03-24 20:59 . 2008-03-24 20:59 <DIR> d-------- C:\Documents and Settings\Shashank\Application Data\PCF-VLC
2008-03-24 19:23 . 2008-03-24 19:23 <DIR> d-------- C:\Documents and Settings\Shashank\Application Data\Participatory Culture Foundation
2008-03-14 23:21 . 2008-03-14 23:21 11,306 -rahs---- C:\WINDOWS\system32\VirusRemovalXX.vbs
2008-03-10 21:20 . 2008-03-13 18:02 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-09 15:48 . 2008-03-09 15:48 43,588 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-09 03:50 . 2008-03-09 03:50 <DIR> d-------- C:\Documents and Settings\Shashank\.netbeans-derby
2008-03-09 03:49 . 2008-03-09 03:49 <DIR> d-------- C:\Documents and Settings\Shashank\.netbeans
2008-03-09 03:15 . 2008-03-09 03:50 <DIR> d-------- C:\Program Files\glassfish-v2
2008-03-09 03:12 . 2008-03-09 03:17 <DIR> d-------- C:\Program Files\NetBeans 6.0
2008-03-09 03:11 . 2008-03-09 03:20 <DIR> d-------- C:\Documents and Settings\Shashank\.nbi
2008-03-06 17:31 . 2008-03-06 17:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-06 17:20 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-06 17:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-06 17:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-06 17:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-06 17:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-06 17:14 . 2008-03-06 17:14 <DIR> d---s---- C:\Documents and Settings\Shashank\UserData
2008-03-06 16:44 . 2008-03-06 16:44 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-06 16:40 . 2008-03-08 01:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-06 16:40 . 2008-03-06 16:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-06 16:39 . 2008-03-06 16:39 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-06 16:38 . 2008-03-06 16:38 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-05 20:17 . 2008-03-05 20:17 <DIR> d-------- C:\Program Files\Uniblue
2008-03-05 20:17 . 2008-03-05 20:17 <DIR> d-------- C:\Documents and Settings\Shashank\.LocalCooling
2008-03-05 20:17 . 2008-03-05 20:17 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{7C24407D-548F-4211-9AD3-2549A100B03D}
2008-03-03 20:04 . 2008-03-13 18:02 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 3
2008-03-03 10:56 . 2008-03-03 10:56 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-02 00:20 . 2008-03-02 00:20 <DIR> d-------- C:\Program Files\Universal Extractor
2008-03-01 14:36 . 2008-03-02 13:08 <DIR> d-------- C:\Program Files\Mass Downloader
2008-03-01 13:46 . 2008-03-01 13:46 <DIR> d-------- C:\Program Files\IPMsg
2008-03-01 12:12 . 2007-12-04 20:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-01 12:12 . 2007-12-04 20:19 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-01 12:12 . 2007-12-04 20:23 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-01 12:11 . 2008-03-01 12:11 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-01 12:11 . 2007-12-04 18:34 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-01 12:11 . 2004-01-09 14:43 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-01 12:11 . 2007-12-04 18:24 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-01 12:11 . 2007-12-04 20:25 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-01 12:11 . 2007-12-04 20:26 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-28 18:49 . 2008-02-28 18:49 <DIR> d-------- C:\Documents and Settings\Shashank\Application Data\Uniblue
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 14:15 --------- d-----w C:\Program Files\Avira
2008-03-13 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-03-13 12:50 --------- d-----w C:\Program Files\Valve
2008-03-10 15:47 --------- d-----w C:\Program Files\Picasa2
2008-03-09 10:02 --------- d-----w C:\Program Files\MultiStage Recovery
2008-03-06 07:13 --------- d-----w C:\Program Files\TrackMania Nations ESWC
2008-03-06 07:13 --------- d-----w C:\Program Files\Smart PC Solutions
2008-03-05 14:16 --------- d-----w C:\Program Files\AskTBar
2008-03-04 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-03 19:33 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-02 17:40 --------- d-----w C:\Program Files\MagicDisc
2008-03-02 06:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-02 06:27 --------- d-----w C:\Program Files\Opera
2008-03-01 19:10 --------- d-----w C:\Documents and Settings\Shashank\Application Data\MetaProducts
2008-03-01 18:50 --------- d-----w C:\Program Files\Unlocker
2008-03-01 18:25 --------- d-----w C:\Program Files\Winamp
2008-03-01 18:01 --------- d-----w C:\Program Files\DVDVideoSoft
2008-02-28 13:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 12:07 --------- d-----w C:\Program Files\Your Freedom
2008-02-24 09:25 --------- d-----w C:\Program Files\IEPro
2008-02-24 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-02-23 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-17 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-17 12:17 --------- d-----w C:\Documents and Settings\Shashank\Application Data\Skype
2008-02-14 16:01 --------- d-----w C:\Program Files\HJT
2008-02-14 13:47 --------- d-----w C:\Program Files\New Utilities
2008-02-14 13:47 --------- d-----w C:\Documents and Settings\Shashank\Application Data\New Utilities
2008-02-14 08:04 --------- d-----w C:\Documents and Settings\Shashank\Application Data\Background Optimizer
2008-02-10 18:31 --------- d-----w C:\Documents and Settings\Shashank\Application Data\iolo
2008-02-10 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-02-10 12:56 --------- d-----w C:\Program Files\Google
2008-02-09 13:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-09 10:25 --------- d-----w C:\Program Files\Reshade
2008-02-08 13:50 --------- d-----w C:\Documents and Settings\Shashank\Application Data\Smart PC Solutions
2008-02-08 13:49 --------- d-----w C:\Program Files\DaSh
2008-02-07 14:39 --------- d-----w C:\Program Files\Microsoft Web Designer Tools
2008-02-06 14:30 --------- d-----w C:\Program Files\Agnitum
2008-02-06 13:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 13:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-05 21:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-02-03 07:13 --------- d-----w C:\Program Files\Avira GmbH
2008-02-02 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-01 04:30 --------- d-----w C:\Program Files\Background Optimizer
2008-01-31 16:24 --------- d-----w C:\Program Files\Common Files\soft602
2008-01-31 16:23 --------- d-----w C:\Program Files\Software602
2008-01-31 16:23 --------- d-----w C:\Program Files\Common Files\BCL Technologies
2008-01-31 16:23 --------- d-----w C:\Documents and Settings\Shashank\Application Data\InstallShield
2008-01-31 15:25 --------- d-----w C:\Program Files\Trend Micro
2008-01-31 15:25 --------- d-----w C:\Documents and Settings\Shashank\Application Data\Trend Micro
2008-01-30 17:40 --------- d-----w C:\Documents and Settings\Shashank\Application Data\GlarySoft
2008-01-30 17:29 --------- d-----w C:\Program Files\Business Objects
2008-01-30 17:27 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-30 17:24 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-30 17:12 --------- d-----w C:\Program Files\Windows Mobile 5.0 SDK R2
2008-01-30 17:12 --------- d-----w C:\Program Files\Microsoft Device Emulator
2008-01-30 17:09 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-01-30 17:09 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-30 17:00 --------- d-----w C:\Program Files\MSBuild
2008-01-30 16:56 --------- d-----w C:\Program Files\Microsoft SDKs
2008-01-30 16:56 --------- d-----w C:\Program Files\CE Remote Tools
2008-01-30 16:50 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-30 16:45 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-29 18:30 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-01-27 07:55 --------- d-----w C:\Documents and Settings\Shashank\Application Data\IEPro
2008-01-21 18:07 294,912 ----a-w C:\WINDOWS\HideWin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18371C9B-0829-4E97-B9DB-76D1590C5E6F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22F7FB9C-C756-4768-A810-10AC5BB1A6B0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E57B24-AC19-4F80-A7E3-DBB135CA3FB1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CF3A43F-ED10-4A7D-A28F-9516C3BB9F84}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E917309-0E8E-4352-82DE-81F485E63131}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68A806A7-523C-471B-919D-F3A0BB7ED5C3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DDFC2FB-7B11-43B6-AA98-0D493C47B2C4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78118EBF-E814-418D-9539-458B6144D460}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{912072B6-F015-4AF0-8878-EFE970A0B712}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F719DBDE-40FD-4430-94EE-9DD59F3EB433}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13 1591808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-09-30 14:11 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-09-30 14:07 126976]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 13:07 14477312 C:\WINDOWS\RTHDCPL.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30 79224]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-13 20:06 249896]
C:\Documents and Settings\Shashank\Start Menu\Programs\Startup\
IPMSG for Win32.lnk - C:\Program Files\IPMsg\ipmsg.exe [2008-02-28 18:54:32 209408]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Corporate Client.lnk - C:\Program Files\eLitecore\Cyberoam Client for Corporate\CyberoamClient.exe [2006-01-11 12:01:54 221184]
LocalCooling.lnk - C:\Program Files\Uniblue\LocalCooling\localcooling2.exe [2008-02-29 14:05:35 5054464]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvttq]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqonmm]
urqonmm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-03-01 14:50]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"D:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.68.01#5104654]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.68.01#5104658]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.68.01#5104680]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1427a531-ecdc-11dc-ac30-0015f23b2025}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msn.exe
\Shell\explore\Command - F:\msn.exe
\Shell\open\Command - F:\msn.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79beef0e-e2f9-11dc-bb0a-0015f23b2025}]
\Shell\AutoRun\command - d6fagcs8.cmd
\Shell\explore\Command - d6fagcs8.cmd
\Shell\open\Command - d6fagcs8.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc19b03a-cc08-11dc-bacf-0015f23b2025}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 16:32:30 C:\WINDOWS\Tasks\glaryoneclickoptimizer.job"
- C:\Program Files\Glary Utilities\oneclickoptimizer.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 19:06:56
Windows 5.1.2600 Service Pack 3, v.3264 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-03-25 19:08:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 13:38:47
.
2008-03-14 17:17:41 --- E O F ---
combofix log
ComboFix 08-03-24.1 - Shashank 2008-03-25 10:04:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.546 [GMT 5.5:30]
Running from: C:\Documents and Settings\Shashank\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\llnmp.ini2
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.
2008-03-24 22:34 . 2008-03-24 22:48 <DIR> d-------- C:\pebuilder3110a
2008-03-24 20:59 . 2008-03-24 20:59 <DIR> d-------- C:\Documents and Settings\Shashank\Application Data\PCF-VLC
2008-03-24 19:23 . 2008-03-24 19:23 <DIR> d-------- C:\Documents and Settings\Shashank\Application Data\Participatory Culture Foundation
2008-03-14 23:21 . 2008-03-14 23:21 11,306 -rahs---- C:\WINDOWS\system32\VirusRemovalXX.vbs
2008-03-10 21:20 . 2008-03-13 18:02 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-09 15:48 . 2008-03-09 15:48 43,588 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-09 03:50 . 2008-03-09 03:50 <DIR> d-------- C:\Documents and Settings\Shashank\.netbeans-derby
2008-03-09 03:49 . 2008-03-09 03:49 <DIR> d-------- C:\Documents and Settings\Shashank\.netbeans
2008-03-09 03:15 . 2008-03-09 03:50 <DIR> d-------- C:\Program Files\glassfish-v2
2008-03-09 03:12 . 2008-03-09 03:17 <DIR> d-------- C:\Program Files\NetBeans 6.0
2008-03-09 03:11 . 2008-03-09 03:20 <DIR> d-------- C:\Documents and Settings\Shashank\.nbi
2008-03-06 17:31 . 2008-03-06 17:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-06 17:20 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-06 17:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-06 17:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-06 17:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-06 17:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-06 17:14 . 2008-03-06 17:14 <DIR> d---s---- C:\Documents and Settings\Shashank\UserData
2008-03-06 16:44 . 2008-03-06 16:44 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-06 16:40 . 2008-03-08 01:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-06 16:40 . 2008-03-06 16:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-06 16:39 . 2008-03-06 16:39 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-06 16:38 . 2008-03-06 16:38 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-05 20:17 . 2008-03-05 20:17 <DIR> d-------- C:\Program Files\Uniblue
2008-03-05 20:17 . 2008-03-05 20:17 <DIR> d-------- C:\Documents and Settings\Shashank\.LocalCooling
2008-03-05 20:17 . 2008-03-05 20:17 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{7C24407D-548F-4211-9AD3-2549A100B03D}
2008-03-03 20:04 . 2008-03-13 18:02 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 3
2008-03-03 10:56 . 2008-03-03 10:56 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-02 00:20 . 2008-03-02 00:20 <DIR> d-------- C:\Program Files\Universal Extractor
2008-03-01 14:36 . 2008-03-02 13:08 <DIR> d-------- C:\Program Files\Mass Downloader
2008-03-01 13:46 . 2008-03-01 13:46 <DIR> d-------- C:\Program Files\IPMsg
2008-03-01 12:12 . 2007-12-04 20:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-01 12:12 . 2007-12-04 20:19 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-01 12:12 . 2007-12-04 20:23 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-01 12:11 . 2008-03-01 12:11 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-01 12:11 . 2007-12-04 18:34 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-01 12:11 . 2004-01-09 14:43 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-01 12:11 . 2007-12-04 18:24 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-01 12:11 . 2007-12-04 20:25 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-01 12:11 . 2007-12-04 20:26 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-28 18:49 . 2008-02-28 18:49 <DIR> d-------- C:\Documents and Settings\Shashank\Application Data\Uniblue
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 14:15 --------- d-----w C:\Program Files\Avira
2008-03-13 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-03-13 12:50 --------- d-----w C:\Program Files\Valve
2008-03-10 15:47 --------- d-----w C:\Program Files\Picasa2
2008-03-09 10:02 --------- d-----w C:\Program Files\MultiStage Recovery
2008-03-06 07:13 --------- d-----w C:\Program Files\TrackMania Nations ESWC
2008-03-06 07:13 --------- d-----w C:\Program Files\Smart PC Solutions
2008-03-05 14:16 --------- d-----w C:\Program Files\AskTBar
2008-03-04 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-03 19:33 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-02 17:40 --------- d-----w C:\Program Files\MagicDisc
2008-03-02 06:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-02 06:27 --------- d-----w C:\Program Files\Opera
2008-03-01 19:10 --------- d-----w C:\Documents and Settings\Shashank\Application Data\MetaProducts
2008-03-01 18:50 --------- d-----w C:\Program Files\Unlocker
2008-03-01 18:25 --------- d-----w C:\Program Files\Winamp
2008-03-01 18:01 --------- d-----w C:\Program Files\DVDVideoSoft
2008-02-28 13:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 12:07 --------- d-----w C:\Program Files\Your Freedom
2008-02-24 09:25 --------- d-----w C:\Program Files\IEPro
2008-02-24 09:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-02-23 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-02-17 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-17 12:17 --------- d-----w C:\Documents and Settings\Shashank\Application Data\Skype
2008-02-14 16:01 --------- d-----w C:\Program Files\HJT
2008-02-14 13:47 --------- d-----w C:\Program Files\New Utilities
2008-02-14 13:47 --------- d-----w C:\Documents and Settings\Shashank\Application Data\New Utilities
2008-02-14 08:04 --------- d-----w C:\Documents and Settings\Shashank\Application Data\Background Optimizer
2008-02-10 18:31 --------- d-----w C:\Documents and Settings\Shashank\Application Data\iolo
2008-02-10 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-02-10 12:56 --------- d-----w C:\Program Files\Google
2008-02-09 13:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-09 10:25 --------- d-----w C:\Program Files\Reshade
2008-02-08 13:50 --------- d-----w C:\Documents and Settings\Shashank\Application Data\Smart PC Solutions
2008-02-08 13:49 --------- d-----w C:\Program Files\DaSh
2008-02-07 14:39 --------- d-----w C:\Program Files\Microsoft Web Designer Tools
2008-02-06 14:30 --------- d-----w C:\Program Files\Agnitum
2008-02-06 13:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-06 13:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-05 21:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-02-03 07:13 --------- d-----w C:\Program Files\Avira GmbH
2008-02-02 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-01 04:30 --------- d-----w C:\Program Files\Background Optimizer
2008-01-31 16:24 --------- d-----w C:\Program Files\Common Files\soft602
2008-01-31 16:23 --------- d-----w C:\Program Files\Software602
2008-01-31 16:23 --------- d-----w C:\Program Files\Common Files\BCL Technologies
2008-01-31 16:23 --------- d-----w C:\Documents and Settings\Shashank\Application Data\InstallShield
2008-01-31 15:25 --------- d-----w C:\Program Files\Trend Micro
2008-01-31 15:25 --------- d-----w C:\Documents and Settings\Shashank\Application Data\Trend Micro
2008-01-30 17:40 --------- d-----w C:\Documents and Settings\Shashank\Application Data\GlarySoft
2008-01-30 17:29 --------- d-----w C:\Program Files\Business Objects
2008-01-30 17:27 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-30 17:24 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-30 17:12 --------- d-----w C:\Program Files\Windows Mobile 5.0 SDK R2
2008-01-30 17:12 --------- d-----w C:\Program Files\Microsoft Device Emulator
2008-01-30 17:09 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-01-30 17:09 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-30 17:00 --------- d-----w C:\Program Files\MSBuild
2008-01-30 16:56 --------- d-----w C:\Program Files\Microsoft SDKs
2008-01-30 16:56 --------- d-----w C:\Program Files\CE Remote Tools
2008-01-30 16:50 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-30 16:45 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-29 18:30 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-01-27 07:55 --------- d-----w C:\Documents and Settings\Shashank\Application Data\IEPro
2008-01-21 18:07 294,912 ----a-w C:\WINDOWS\HideWin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18371C9B-0829-4E97-B9DB-76D1590C5E6F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22F7FB9C-C756-4768-A810-10AC5BB1A6B0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E57B24-AC19-4F80-A7E3-DBB135CA3FB1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CF3A43F-ED10-4A7D-A28F-9516C3BB9F84}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E917309-0E8E-4352-82DE-81F485E63131}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68A806A7-523C-471B-919D-F3A0BB7ED5C3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DDFC2FB-7B11-43B6-AA98-0D493C47B2C4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78118EBF-E814-418D-9539-458B6144D460}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{912072B6-F015-4AF0-8878-EFE970A0B712}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F719DBDE-40FD-4430-94EE-9DD59F3EB433}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13 1591808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-09-30 14:11 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-09-30 14:07 126976]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 13:07 14477312 C:\WINDOWS\RTHDCPL.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30 79224]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-13 20:06 249896]
C:\Documents and Settings\Shashank\Start Menu\Programs\Startup\
IPMSG for Win32.lnk - C:\Program Files\IPMsg\ipmsg.exe [2008-02-28 18:54:32 209408]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Corporate Client.lnk - C:\Program Files\eLitecore\Cyberoam Client for Corporate\CyberoamClient.exe [2006-01-11 12:01:54 221184]
LocalCooling.lnk - C:\Program Files\Uniblue\LocalCooling\localcooling2.exe [2008-02-29 14:05:35 5054464]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvttq]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqonmm]
urqonmm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-03-01 14:50]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"D:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.68.01#5104654]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.68.01#5104658]
\Shell\AutoRun\command - ie.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.68.01#5104680]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1427a531-ecdc-11dc-ac30-0015f23b2025}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL msn.exe
\Shell\explore\Command - F:\msn.exe
\Shell\open\Command - F:\msn.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79beef0e-e2f9-11dc-bb0a-0015f23b2025}]
\Shell\AutoRun\command - d6fagcs8.cmd
\Shell\explore\Command - d6fagcs8.cmd
\Shell\open\Command - d6fagcs8.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc19b03a-cc08-11dc-bacf-0015f23b2025}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 16:32:30 C:\WINDOWS\Tasks\glaryoneclickoptimizer.job"
- C:\Program Files\Glary Utilities\oneclickoptimizer.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 19:06:56
Windows 5.1.2600 Service Pack 3, v.3264 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-03-25 19:08:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 13:38:47
.
2008-03-14 17:17:41 --- E O F ---