ystempy
2008-07-26, 19:09
hi guys
i also have the #%^#%^# virtumonde
i ran combofix and vundofix
still infected
the combofix log
ComboFix 08-07-25.7 - Noga&Yonatan 07/26/2008 19:19:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.805 [GMT 2:00]
Running from: D:\Documents and Settings\Noga&Yonatan\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\WINDOWS\BM1bcb48c5.txt
D:\WINDOWS\pskt.ini
D:\WINDOWS\system32\bLTtwyay.ini
D:\WINDOWS\system32\bLTtwyay.ini2
D:\WINDOWS\system32\byXOeCVM.dll
D:\WINDOWS\system32\ldtkbvpx.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\OUBLRXyb.ini
D:\WINDOWS\system32\OUBLRXyb.ini2
D:\WINDOWS\system32\yaywtTLb.dll
----- BITS: Possible infected sites -----
http://j+|Cv+@J:NGD_DQ{ztHG.XaB,Db|I9
.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 15:16 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-26 15:15 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 13:02 --------- d-----w D:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-26 12:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-26 12:45 --------- d-----w D:\Program Files\Security Task Manager
2008-07-26 08:08 --------- d-----w D:\Program Files\Lavasoft
2008-07-25 23:29 --------- d-----w D:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-07-25 22:36 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-25 08:15 --------- d-----w D:\Documents and Settings\Noga&Yonatan\Application Data\uTorrent
2008-07-23 18:16 --------- d-----w D:\Program Files\CheckPoint
2008-07-12 14:39 2,829 ----a-w D:\WINDOWS\War3Unin.pif
2008-07-12 14:39 139,264 ----a-w D:\WINDOWS\War3Unin.exe
2008-07-04 14:31 --------- d-----w D:\Program Files\Resco
2008-07-04 14:30 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-06-20 11:39 --------- d-----w D:\Program Files\Common Files\Adobe Systems Shared
2008-06-20 11:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-20 11:36 --------- d-----w D:\Program Files\Common Files\Adobe
2008-06-20 10:44 360,960 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w D:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w D:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:20 --------- d-----w D:\Documents and Settings\Noga&Yonatan\Application Data\AdobeUM
2008-06-13 21:32 --------- d-----w D:\Documents and Settings\Noga&Yonatan\Application Data\skypePM
2008-06-13 21:32 --------- d-----w D:\Documents and Settings\Noga&Yonatan\Application Data\Skype
2008-06-13 13:10 272,128 ------w D:\WINDOWS\system32\drivers\bthport.sys
2008-06-04 20:04 --------- d-----w D:\Program Files\Skype
2008-06-04 20:04 --------- d-----w D:\Program Files\Common Files\Skype
2008-06-04 20:04 --------- d-----w D:\Documents and Settings\All Users\Application Data\Skype
2008-05-29 21:54 --------- d-----w D:\Program Files\Bonjour
2008-05-29 21:45 --------- d-----w D:\Program Files\Common Files\Macrovision Shared
2008-05-22 19:07 42,474 ----a-w D:\WINDOWS\Encrypted.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/16/2008 08:05 PM 68856]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 12:39 PM 1289000]
"SpybotSD TeaTimer"="c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Memory Optimizer"="D:\Program Files\Systerac XP Tools 3\memoryo.exe" [05/02/2005 08:10 PM 1056768]
"InCD"="C:\Program Files\Ahead NERO InCD\InCD\InCD.exe" [03/14/2006 04:06 AM 1397760]
"egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/2007 08:21 AM 1443072]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [04/23/2008 02:08 AM 483328]
"SoundMan"="SOUNDMAN.EXE" [02/09/2004 10:54 AM 65024 D:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [10/22/2004 10:53 AM 53248 D:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [01/11/2005 06:33 AM 143360 D:\WINDOWS\system32\VTTrayp.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
12/16/2004 03:33 PM 24672 D:\WINDOWS\system32\ckpNotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Picasa Media Detector"=c:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"NeroFilterCheck"=D:\WINDOWS\system32\NeroCheck.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\NetMeeting\\conf.exe"=
"%ProgramFiles%\\SmartProtectionUSB\\Agent_Daemon.exe"=
"%ProgramFiles%\\SmartProtectionUSB\\SmartProtectionVersion.exe"=
"%ProgramFiles%\\SmartProtectionUSB\\SmartProtectionWindowsUpdate.exe"=
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"D:\\Program Files\\Vmule Kazaa Lite 28\\clean.kmd"=
"D:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"D:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"D:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 Defrag32b;Defrag32Boot;D:\WINDOWS\system32\drivers\Defrag32b.sys [05/12/2005 08:47 AM]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [12/21/2007 08:21 AM]
R2 Defrag32;Defrag32;D:\WINDOWS\system32\drivers\Defrag32.sys [05/12/2005 08:47 AM]
R2 PDSched;PDScheduler;D:\Program Files\Raxco\PerfectDisk\PDSched.exe [05/12/2005 11:43 AM]
R2 Scap;SecureClient Application Policy Module;D:\WINDOWS\system32\DRIVERS\Scap.sys [12/16/2004 03:33 PM]
R2 SmartProtection Service;SmartProtection Agent Service;D:\Program Files\ThumbDrive Guard\SmartProtectionService.exe [04/19/2006 02:44 PM]
R2 U3SHLPDR200;U3SHLPDR200;D:\WINDOWS\System32\Drivers\U3SHLPDR200.SYS [05/15/2008 08:55 PM]
R2 VPN-1;VPN-1 Module;D:\WINDOWS\system32\drivers\vpn.sys [12/16/2004 03:33 PM]
R3 FW1;SecuRemote Miniport;D:\WINDOWS\system32\DRIVERS\fw.sys [12/16/2004 03:33 PM]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Professional\kerneld.wnt [10/21/2004 11:00 PM]
S3 OMVA;VPN-1 SecureClient Adapter;D:\WINDOWS\system32\DRIVERS\OMVA.sys [12/16/2004 03:33 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b92cec1e-2292-11dd-bdd2-00115b8f1561}]
\Shell\AutoRun\command - I:\AutoRun.exe
\Shell\configure\command - I:\ThumbDriveGuardSetup.exe
\Shell\install\command - I:\ThumbDriveGuardSetup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4A8258C0-7856-84C5-8BEE-10876FC74123}]
D:\WINDOWS:emulee.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{099AC52C-1CD4-434C-9CC6-FF56DABB5010} - (no file)
BHO-{14F72990-3D28-4A51-AB94-B2B8CB46BF18} - (no file)
BHO-{8AFAF54C-61B8-43E9-9D56-638B3D367BEA} - D:\WINDOWS\system32\urqopoop.dll
BHO-{CE830E55-425B-4BB2-A3DD-E2B0DAE26D03} - D:\WINDOWS\system32\byXRLBUO.dll
BHO-{F62780DB-E31A-43CE-99C7-CB48D65C2170} - D:\WINDOWS\system32\ddcYOIaw.dll
HKLM-Run-a87758fd - D:\WINDOWS\system32\uetpvhkg.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: &יצא ל- Microsoft Excel - D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 -: Convert link target to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 19:25:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Professional\kerneld.wnt"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead NERO InCD\InCD\InCDsrv.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 07/26/2008 19:30:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 17:30:35
Pre-Run: 34,283,765,760 bytes free
Post-Run: 34,599,047,168 bytes free
192 --- E O F --- 2008-07-10 18:25:57
i also have the #%^#%^# virtumonde
i ran combofix and vundofix
still infected
the combofix log
ComboFix 08-07-25.7 - Noga&Yonatan 07/26/2008 19:19:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.805 [GMT 2:00]
Running from: D:\Documents and Settings\Noga&Yonatan\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\WINDOWS\BM1bcb48c5.txt
D:\WINDOWS\pskt.ini
D:\WINDOWS\system32\bLTtwyay.ini
D:\WINDOWS\system32\bLTtwyay.ini2
D:\WINDOWS\system32\byXOeCVM.dll
D:\WINDOWS\system32\ldtkbvpx.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\OUBLRXyb.ini
D:\WINDOWS\system32\OUBLRXyb.ini2
D:\WINDOWS\system32\yaywtTLb.dll
----- BITS: Possible infected sites -----
http://j+|Cv+@J:NGD_DQ{ztHG.XaB,Db|I9
.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 15:16 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-26 15:15 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 13:02 --------- d-----w D:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-26 12:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-26 12:45 --------- d-----w D:\Program Files\Security Task Manager
2008-07-26 08:08 --------- d-----w D:\Program Files\Lavasoft
2008-07-25 23:29 --------- d-----w D:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-07-25 22:36 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-25 08:15 --------- d-----w D:\Documents and Settings\Noga&Yonatan\Application Data\uTorrent
2008-07-23 18:16 --------- d-----w D:\Program Files\CheckPoint
2008-07-12 14:39 2,829 ----a-w D:\WINDOWS\War3Unin.pif
2008-07-12 14:39 139,264 ----a-w D:\WINDOWS\War3Unin.exe
2008-07-04 14:31 --------- d-----w D:\Program Files\Resco
2008-07-04 14:30 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-06-20 11:39 --------- d-----w D:\Program Files\Common Files\Adobe Systems Shared
2008-06-20 11:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-20 11:36 --------- d-----w D:\Program Files\Common Files\Adobe
2008-06-20 10:44 360,960 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w D:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w D:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:20 --------- d-----w D:\Documents and Settings\Noga&Yonatan\Application Data\AdobeUM
2008-06-13 21:32 --------- d-----w D:\Documents and Settings\Noga&Yonatan\Application Data\skypePM
2008-06-13 21:32 --------- d-----w D:\Documents and Settings\Noga&Yonatan\Application Data\Skype
2008-06-13 13:10 272,128 ------w D:\WINDOWS\system32\drivers\bthport.sys
2008-06-04 20:04 --------- d-----w D:\Program Files\Skype
2008-06-04 20:04 --------- d-----w D:\Program Files\Common Files\Skype
2008-06-04 20:04 --------- d-----w D:\Documents and Settings\All Users\Application Data\Skype
2008-05-29 21:54 --------- d-----w D:\Program Files\Bonjour
2008-05-29 21:45 --------- d-----w D:\Program Files\Common Files\Macrovision Shared
2008-05-22 19:07 42,474 ----a-w D:\WINDOWS\Encrypted.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/16/2008 08:05 PM 68856]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 12:39 PM 1289000]
"SpybotSD TeaTimer"="c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Memory Optimizer"="D:\Program Files\Systerac XP Tools 3\memoryo.exe" [05/02/2005 08:10 PM 1056768]
"InCD"="C:\Program Files\Ahead NERO InCD\InCD\InCD.exe" [03/14/2006 04:06 AM 1397760]
"egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/2007 08:21 AM 1443072]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [04/23/2008 02:08 AM 483328]
"SoundMan"="SOUNDMAN.EXE" [02/09/2004 10:54 AM 65024 D:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [10/22/2004 10:53 AM 53248 D:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [01/11/2005 06:33 AM 143360 D:\WINDOWS\system32\VTTrayp.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
12/16/2004 03:33 PM 24672 D:\WINDOWS\system32\ckpNotify.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Picasa Media Detector"=c:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"NeroFilterCheck"=D:\WINDOWS\system32\NeroCheck.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Program Files\\NetMeeting\\conf.exe"=
"%ProgramFiles%\\SmartProtectionUSB\\Agent_Daemon.exe"=
"%ProgramFiles%\\SmartProtectionUSB\\SmartProtectionVersion.exe"=
"%ProgramFiles%\\SmartProtectionUSB\\SmartProtectionWindowsUpdate.exe"=
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"D:\\Program Files\\Vmule Kazaa Lite 28\\clean.kmd"=
"D:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"D:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"D:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 Defrag32b;Defrag32Boot;D:\WINDOWS\system32\drivers\Defrag32b.sys [05/12/2005 08:47 AM]
R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [12/21/2007 08:21 AM]
R2 Defrag32;Defrag32;D:\WINDOWS\system32\drivers\Defrag32.sys [05/12/2005 08:47 AM]
R2 PDSched;PDScheduler;D:\Program Files\Raxco\PerfectDisk\PDSched.exe [05/12/2005 11:43 AM]
R2 Scap;SecureClient Application Policy Module;D:\WINDOWS\system32\DRIVERS\Scap.sys [12/16/2004 03:33 PM]
R2 SmartProtection Service;SmartProtection Agent Service;D:\Program Files\ThumbDrive Guard\SmartProtectionService.exe [04/19/2006 02:44 PM]
R2 U3SHLPDR200;U3SHLPDR200;D:\WINDOWS\System32\Drivers\U3SHLPDR200.SYS [05/15/2008 08:55 PM]
R2 VPN-1;VPN-1 Module;D:\WINDOWS\system32\drivers\vpn.sys [12/16/2004 03:33 PM]
R3 FW1;SecuRemote Miniport;D:\WINDOWS\system32\DRIVERS\fw.sys [12/16/2004 03:33 PM]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Professional\kerneld.wnt [10/21/2004 11:00 PM]
S3 OMVA;VPN-1 SecureClient Adapter;D:\WINDOWS\system32\DRIVERS\OMVA.sys [12/16/2004 03:33 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b92cec1e-2292-11dd-bdd2-00115b8f1561}]
\Shell\AutoRun\command - I:\AutoRun.exe
\Shell\configure\command - I:\ThumbDriveGuardSetup.exe
\Shell\install\command - I:\ThumbDriveGuardSetup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4A8258C0-7856-84C5-8BEE-10876FC74123}]
D:\WINDOWS:emulee.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{099AC52C-1CD4-434C-9CC6-FF56DABB5010} - (no file)
BHO-{14F72990-3D28-4A51-AB94-B2B8CB46BF18} - (no file)
BHO-{8AFAF54C-61B8-43E9-9D56-638B3D367BEA} - D:\WINDOWS\system32\urqopoop.dll
BHO-{CE830E55-425B-4BB2-A3DD-E2B0DAE26D03} - D:\WINDOWS\system32\byXRLBUO.dll
BHO-{F62780DB-E31A-43CE-99C7-CB48D65C2170} - D:\WINDOWS\system32\ddcYOIaw.dll
HKLM-Run-a87758fd - D:\WINDOWS\system32\uetpvhkg.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: &יצא ל- Microsoft Excel - D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 -: Convert link target to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 19:25:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Professional\kerneld.wnt"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead NERO InCD\InCD\InCDsrv.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 07/26/2008 19:30:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 17:30:35
Pre-Run: 34,283,765,760 bytes free
Post-Run: 34,599,047,168 bytes free
192 --- E O F --- 2008-07-10 18:25:57