virtumondo [Archive] - Safer-Networking Forums

stevefirst

2009-01-05, 12:54

I've now rerun Combofix which wasn't initially in desktop. This is the report:

ComboFix 09-01-04.01 - steve 2009-01-05 11:47:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.543 [GMT 0:00]
Running from: c:\documents and settings\steve\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-05 10:21 . 2009-01-05 10:21 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-05 10:12 . 2009-01-05 10:14 <DIR> d-------- c:\documents and settings\steve\.SunDownloadManager
2009-01-05 09:33 . 2009-01-05 09:33 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-05 09:31 . 2009-01-05 09:31 <DIR> d-------- c:\windows\LastGood
2009-01-05 09:31 . 2009-01-05 11:47 <DIR> d-------- c:\program files\NOS
2009-01-05 09:31 . 2009-01-05 11:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-04 21:03 . 2009-01-05 02:36 546 --a------ c:\windows\wininit.ini
2009-01-04 18:50 . 2009-01-04 22:38 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-04 18:50 . 2009-01-04 23:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 15:06 . 2009-01-04 15:06 <DIR> d-------- c:\program files\SymNetDrv
2009-01-04 14:51 . 2009-01-04 16:51 <DIR> d-------- c:\program files\Norton SystemWorks
2009-01-04 14:51 . 2006-09-15 22:52 124,016 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-04 14:51 . 2006-09-15 22:52 91,904 --a------ c:\windows\system32\S32EVNT1.DLL
2009-01-04 14:51 . 2009-01-04 14:51 4,608 --a------ c:\windows\system32\drivers\symlcbrd.sys
2009-01-04 14:50 . 2009-01-04 15:07 <DIR> d-------- c:\program files\Symantec
2009-01-04 14:50 . 2009-01-04 17:03 <DIR> d-------- c:\documents and settings\steve\Application Data\Symantec
2009-01-04 14:50 . 2009-01-04 14:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 18:24 . 2009-01-03 18:24 0 --a------ c:\windows\system32\a9xt.bin
2009-01-03 18:23 . 2009-01-03 18:23 <DIR> d-------- c:\documents and settings\steve\Application Data\RegistryDoctor2008
2009-01-03 18:11 . 2009-01-03 18:11 8,640 --a------ c:\windows\system32\msvtch.sys
2009-01-03 13:11 . 2009-01-03 17:34 73,728 --a------ c:\windows\system32\nfs5ou34.exe
2008-12-14 15:08 . 2009-01-05 10:21 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 18:29 . 2008-12-09 18:29 <DIR> d-------- c:\windows\.jagex_cache_32
2008-12-09 18:29 . 2008-12-11 19:38 31 --a------ c:\documents and settings\steve\jagex_runescape_preferences.dat
2008-12-06 16:28 . 2008-12-06 16:28 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-06 16:27 . 2008-12-06 16:27 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-12-06 16:27 . 2008-12-06 16:27 <DIR> d-------- C:\b1b865d95da13327420f
2008-12-06 16:26 . 2008-12-06 16:27 <DIR> d-------- C:\0164067b79558574db0d

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 10:21 --------- d-----w c:\program files\Java
2009-01-05 09:32 --------- d-----w c:\program files\Common Files\Adobe
2009-01-04 16:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-30 17:01 --------- d-----w c:\documents and settings\steve\Application Data\EPSON
2008-12-03 20:00 --------- d-----w c:\program files\Maxis
2008-12-03 19:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-25 00:11 63,104 ----a-w c:\documents and settings\steve\Application Data\GDIPFONTCACHEV1.DAT
2008-11-16 21:20 --------- d-----w c:\program files\Lavasoft
2008-11-16 21:20 --------- d-----w c:\documents and settings\steve\Application Data\Lavasoft
2008-11-16 21:02 --------- d-----w c:\program files\BillP Studios
2008-11-16 21:02 --------- d-----w c:\documents and settings\steve\Application Data\WinPatrol
2008-11-16 20:07 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-16 20:06 --------- d-----w c:\program files\EPSON
2008-11-16 20:06 --------- d-----w c:\documents and settings\All Users\Application Data\UDL
2008-11-16 20:05 --------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2008-11-16 20:03 --------- d-----w c:\documents and settings\steve\Application Data\InstallShield
2008-11-16 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-12 09:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-05_ 9.06.04.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 15:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2009-01-04 21:07:46 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-05 09:31:06 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-04 21:07:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-05 09:31:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-04 21:07:46 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-05 09:31:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-14 15:08:23 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-01-05 10:21:43 144,792 ----a-w c:\windows\system32\java.exe
- 2008-12-14 15:08:23 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-05 10:21:43 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-12-14 15:08:23 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-05 10:21:43 148,888 ----a-w c:\windows\system32\javaws.exe
- 2009-01-05 08:58:51 59,780 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-05 09:06:54 59,780 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-05 08:58:52 397,560 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-05 09:06:54 397,560 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-05 10:21:57 16,384 ----atw c:\windows\temp\Perflib_Perfdata_ab0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EPSON Stylus DX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE" [2007-04-12 182272]
"Norton SystemWorks"="c:\program files\Norton SystemWorks\cfgwiz.exe" [2004-09-10 132248]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-01-04 100056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-11 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\AluSchedulerSvc.exe"=

R4 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~2\NORTON~1\NPROTECT.EXE [2004-08-30 95328]

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\At1.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2008-12-14 c:\windows\Tasks\At2.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2009-01-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-04 c:\windows\Tasks\Norton AntiVirus - Scan my computer - steve.job
- c:\progra~1\NORTON~2\NORTON~3\Navw32.exe [2005-10-19 12:54]

2009-01-04 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2004-11-04 05:19]

2009-01-05 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-10-27 18:48]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-msvtch.sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}
hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
c:\windows\Downloaded Program Files\GoPetsWeb.inf
FF - ProfilePath - c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\wa73pj1r.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 11:49:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-05 11:50:19
ComboFix-quarantined-files.txt 2009-01-05 11:50:05
ComboFix2.txt 2009-01-05 09:07:04

Pre-Run: 144,613,138,432 bytes free
Post-Run: 144,675,000,320 bytes free

199 --- E O F --- 2008-12-17 23:17:01