brice123
2008-12-12, 15:26
I ran combo fix on my computer and got this text file, I was wondering if someone smarter then me could look at it and tell me if I need to do anythjing else? Thanks
ComboFix 08-12-11.05 - fpod 2008-12-12 8:34:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.574 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WinXP_EN_HOM_BF.EXE
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\fpod\nah_crkf.exe
C:\Documents and Settings\fpod\nah_log.dat
C:\Documents and Settings\fpod\ravmonlog
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\ANS2000.INI
C:\WINDOWS\system32\drivers\TDSSrfdc.sys
C:\WINDOWS\system32\TDSSayoa.log
C:\WINDOWS\system32\TDSSedwv.dll
C:\WINDOWS\system32\TDSSfvfe.dll
C:\WINDOWS\system32\TDSSgnaq.dll
C:\WINDOWS\system32\TDSShrii.dll
C:\WINDOWS\system32\TDSSmhvw.log
C:\WINDOWS\system32\TDSSnero.dat
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSrfhc.dll
C:\WINDOWS\system32\TDSSxbae.dll
C:\WINDOWS\system32\winlogon.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 13:50 32,718,368 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-12-12 13:48 1,244,960 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-12-12 13:46 439,904 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-12-12 13:46 118,736 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-12-12 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-11-24 03:42 --------- d-----w C:\Documents and Settings\fpod\Application Data\uTorrent
2008-11-18 20:23 --------- d-----w C:\Documents and Settings\fpod\Application Data\Move Networks
2008-11-12 04:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-10-20 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-14 20:40 --------- d-----w C:\Program Files\Zone Five Software
2008-10-14 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoneFiveSoftware
2007-07-08 04:40 29,440 ----a-w C:\Documents and Settings\fpod\Application Data\GDIPFONTCACHEV1.DAT
2006-07-19 20:33 88 --sh--r C:\WINDOWS\system32\A3C1FB52E7.sys
2006-07-19 20:33 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-07 03:27 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 08:17 49152]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 01:05 122939]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 14:09 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 19:12 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 16:40 289576]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18031:TCP"= 18031:TCP:NortonAV
"15699:TCP"= 15699:TCP:NortonAV
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-Verizon Custom Uninstall Tracking - C:\DOCUME~1\fpod\LOCALS~1\Temp\InstallHelper.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://65.209.44.166/webapps/login/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cu22xwpm.default\
FF - plugin: C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\NPUploader.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 08:47:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1192)
C:\WINDOWS\system32\klogon.dll
.
ComboFix 08-12-11.05 - fpod 2008-12-12 8:34:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.574 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WinXP_EN_HOM_BF.EXE
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\fpod\nah_crkf.exe
C:\Documents and Settings\fpod\nah_log.dat
C:\Documents and Settings\fpod\ravmonlog
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\ANS2000.INI
C:\WINDOWS\system32\drivers\TDSSrfdc.sys
C:\WINDOWS\system32\TDSSayoa.log
C:\WINDOWS\system32\TDSSedwv.dll
C:\WINDOWS\system32\TDSSfvfe.dll
C:\WINDOWS\system32\TDSSgnaq.dll
C:\WINDOWS\system32\TDSShrii.dll
C:\WINDOWS\system32\TDSSmhvw.log
C:\WINDOWS\system32\TDSSnero.dat
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSrfhc.dll
C:\WINDOWS\system32\TDSSxbae.dll
C:\WINDOWS\system32\winlogon.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 13:50 32,718,368 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-12-12 13:48 1,244,960 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-12-12 13:46 439,904 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-12-12 13:46 118,736 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-12-12 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-11-24 03:42 --------- d-----w C:\Documents and Settings\fpod\Application Data\uTorrent
2008-11-18 20:23 --------- d-----w C:\Documents and Settings\fpod\Application Data\Move Networks
2008-11-12 04:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-10-20 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-10-14 20:40 --------- d-----w C:\Program Files\Zone Five Software
2008-10-14 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoneFiveSoftware
2007-07-08 04:40 29,440 ----a-w C:\Documents and Settings\fpod\Application Data\GDIPFONTCACHEV1.DAT
2006-07-19 20:33 88 --sh--r C:\WINDOWS\system32\A3C1FB52E7.sys
2006-07-19 20:33 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-07 03:27 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"ECenter"="c:\dell\E-Center\gtb.exe" [2006-06-14 08:17 49152]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 01:05 122939]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 14:09 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 19:12 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 16:40 289576]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18031:TCP"= 18031:TCP:NortonAV
"15699:TCP"= 15699:TCP:NortonAV
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-Verizon Custom Uninstall Tracking - C:\DOCUME~1\fpod\LOCALS~1\Temp\InstallHelper.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://65.209.44.166/webapps/login/
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cu22xwpm.default\
FF - plugin: C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\NPUploader.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 08:47:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1192)
C:\WINDOWS\system32\klogon.dll
.