greenalfonzo
2008-08-01, 22:46
I am running the process recommended to me in this thread:
http://forums.spybot.info/showthread.php?t=30134
Following those instructions, this is my combofix log. I am now proceeding to the next steps of running ATF Cleaner and Kapersky. Thank you for all the halp so far!
ComboFix 08-07-31.06 - Compaq_Owner 2008-08-01 13:35:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\blphcnl4j0etdr.scr
C:\WINDOWS\system32\lphcnl4j0etdr.exe
C:\WINDOWS\system32\phcnl4j0etdr.bmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\blphcnl4j0etdr.scr
C:\WINDOWS\system32\lphcnl4j0etdr.exe
C:\WINDOWS\system32\phcnl4j0etdr.bmp
.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.
2008-08-01 13:23 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-01 13:20 . 2008-08-01 13:20 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-01 09:42 . 2008-08-01 09:42 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\.SunDownloadManager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 20:39 22,120,480 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-01 20:23 --------- d-----w C:\Program Files\Java
2008-08-01 20:02 296,516 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-01 16:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-01 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 16:09 21,488 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-08-01 01:44 271,360 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-08-01 01:44 2,108,928 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-06-27 02:09 7,487,207 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-26 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 18:28 --------- d-----w C:\Program Files\Lavasoft
2008-06-26 18:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 23:55 257,536 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-06-25 18:24 --------- d-----w C:\Program Files\CCleaner
2008-06-25 15:40 --------- d-----w C:\Program Files\Trend Micro
2008-06-25 15:18 9,722,720 ----a-w C:\spybotsd152.exe
2008-06-24 04:49 1,587,200 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-06-21 01:09 2,000,384 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-28 05:16 324,608 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-05-20 23:04 956,416 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-02 00:37 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-09-04 15:29 3,551,324 ----a-w C:\Program Files\FirefightSetup.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-26_19.19.29.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-01-29 04:28:20 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-01-29 04:28:20 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-06-27 01:57:25 340,008 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-08-01 20:34:10 344,600 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-06-19 19:14:52 9,603,000 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-08-01 01:22:57 10,018,054 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 09:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-28 21:44 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-05 13:17 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSMPSVC]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MSMPSVC"=2 (0x2)
"msfwsvc"=2 (0x2)
"MDM"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
R3 rdsdrvdm;rdsdrvdm;C:\WINDOWS\system32\DRIVERS\rdsdrvdm.sys [2007-03-29 18:15]
S2 RDesktop;RDesktop Server;C:\PROGRA~1\01COM~1\I'MINT~1\BIN\rdesktop.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7eaf834-7138-11d9-a02f-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-06-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
HKLM-Run-RDesktop - C:\PROGRA~1\01COM~1\I'MINT~1\BIN\rdesktop.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 13:39:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-01 13:41:37
ComboFix-quarantined-files.txt 2008-08-01 20:41:31
ComboFix2.txt 2008-06-27 02:24:01
Pre-Run: 58,847,567,872 bytes free
Post-Run: 58,977,546,240 bytes free
131 --- E O F --- 2008-06-20 17:49:24
http://forums.spybot.info/showthread.php?t=30134
Following those instructions, this is my combofix log. I am now proceeding to the next steps of running ATF Cleaner and Kapersky. Thank you for all the halp so far!
ComboFix 08-07-31.06 - Compaq_Owner 2008-08-01 13:35:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.106 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\blphcnl4j0etdr.scr
C:\WINDOWS\system32\lphcnl4j0etdr.exe
C:\WINDOWS\system32\phcnl4j0etdr.bmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\blphcnl4j0etdr.scr
C:\WINDOWS\system32\lphcnl4j0etdr.exe
C:\WINDOWS\system32\phcnl4j0etdr.bmp
.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.
2008-08-01 13:23 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-01 13:20 . 2008-08-01 13:20 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-01 09:42 . 2008-08-01 09:42 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\.SunDownloadManager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 20:39 22,120,480 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-01 20:23 --------- d-----w C:\Program Files\Java
2008-08-01 20:02 296,516 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-01 16:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-01 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 16:09 21,488 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-08-01 01:44 271,360 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-08-01 01:44 2,108,928 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-06-27 02:09 7,487,207 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-26 18:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 18:28 --------- d-----w C:\Program Files\Lavasoft
2008-06-26 18:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-25 23:55 257,536 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-06-25 18:24 --------- d-----w C:\Program Files\CCleaner
2008-06-25 15:40 --------- d-----w C:\Program Files\Trend Micro
2008-06-25 15:18 9,722,720 ----a-w C:\spybotsd152.exe
2008-06-24 04:49 1,587,200 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-06-21 01:09 2,000,384 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-28 05:16 324,608 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-05-20 23:04 956,416 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-02 00:37 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-09-04 15:29 3,551,324 ----a-w C:\Program Files\FirefightSetup.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-26_19.19.29.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-01-29 04:28:20 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-01-29 04:28:20 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-06-27 01:57:25 340,008 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-08-01 20:34:10 344,600 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-06-19 19:14:52 9,603,000 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-08-01 01:22:57 10,018,054 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 09:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-28 21:44 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-05 13:17 385024]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSMPSVC]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MSMPSVC"=2 (0x2)
"msfwsvc"=2 (0x2)
"MDM"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
R3 rdsdrvdm;rdsdrvdm;C:\WINDOWS\system32\DRIVERS\rdsdrvdm.sys [2007-03-29 18:15]
S2 RDesktop;RDesktop Server;C:\PROGRA~1\01COM~1\I'MINT~1\BIN\rdesktop.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7eaf834-7138-11d9-a02f-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-06-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
HKLM-Run-RDesktop - C:\PROGRA~1\01COM~1\I'MINT~1\BIN\rdesktop.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 13:39:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-01 13:41:37
ComboFix-quarantined-files.txt 2008-08-01 20:41:31
ComboFix2.txt 2008-06-27 02:24:01
Pre-Run: 58,847,567,872 bytes free
Post-Run: 58,977,546,240 bytes free
131 --- E O F --- 2008-06-20 17:49:24