skarpuzi
2009-04-04, 06:54
I have spent 3 days trying to get rid of this thing. Combofix is my last resort. Here's my log file - somebody tell me this is fixable.
ComboFix 09-04-03.01 - Coinmach Corporation 2009-04-04 0:41:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.567 [GMT -4:00]
Running from: c:\documents and settings\Coinmach Corporation\Desktop\ComboFix.exe
AV: LANDesk Antivirus client *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.
2009-04-04 00:10 . 2009-04-04 00:24 <DIR> d-------- c:\windows\SxsCaPendDel
2009-04-04 00:10 . 2009-04-04 00:11 <DIR> d-------- C:\ad609ea76b6ec3b41bdc7749d7ad
2009-04-03 21:34 . 2009-04-03 21:34 <DIR> d-------- c:\program files\vokovafo
2009-04-03 09:35 . 2009-04-03 09:35 <DIR> d-------- c:\program files\negiyedo
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\zoniraji
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\zezojare
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\tenoheze
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\polumubi
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\nodujohu
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\mahazudi
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\layeleye
2009-04-01 21:56 . 2009-04-01 21:56 <DIR> d-------- c:\program files\kozewepu
2009-04-01 21:56 . 2009-04-01 21:56 <DIR> d-------- c:\program files\hohazevu
2009-04-01 13:26 . 2009-04-01 13:26 <DIR> d-------- C:\Cisco
2009-04-01 13:23 . 2007-06-07 11:45 10,035,669 --a------ C:\Cisco.zip
2009-04-01 12:35 . 2009-04-01 12:35 <DIR> d-------- c:\documents and settings\coeadmin\Application Data\Malwarebytes
2009-04-01 09:52 . 2009-04-01 09:52 <DIR> d-------- c:\documents and settings\coeadmin
2009-04-01 09:30 . 2009-04-01 09:30 <DIR> d-------- c:\documents and settings\skarpuzi\Application Data\Malwarebytes
2009-04-01 07:22 . 2009-04-01 07:22 <DIR> d-------- c:\program files\sojefiwi
2009-04-01 07:22 . 2009-04-01 07:22 <DIR> d-------- c:\program files\jobagiyu
2009-04-01 07:22 . 2009-04-01 07:22 <DIR> d-------- c:\program files\bosofifa
2009-03-31 16:44 . 2009-03-31 16:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 16:44 . 2009-03-31 16:44 <DIR> d-------- c:\documents and settings\Coinmach Corporation\Application Data\Malwarebytes
2009-03-31 16:44 . 2009-03-31 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 16:44 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 16:44 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-31 08:34 . 2009-03-31 19:28 <DIR> d-------- c:\program files\vikuzeja
2009-03-31 08:34 . 2009-03-31 08:34 <DIR> d-------- c:\program files\nuzeroto
2009-03-31 08:34 . 2009-03-31 08:34 <DIR> d-------- c:\program files\juguteto
2009-03-30 07:59 . 2009-03-31 19:28 <DIR> d-------- c:\program files\wibovaha
2009-03-30 07:59 . 2009-03-30 07:59 <DIR> d-------- c:\program files\sosagatu
2009-03-30 07:59 . 2009-04-03 15:21 <DIR> d-------- c:\program files\pilabuma
2009-03-28 12:19 . 2009-03-28 12:19 <DIR> d-------- c:\program files\yigutizo
2009-03-28 12:19 . 2009-03-28 12:40 <DIR> d-------- c:\program files\vebayene
2009-03-28 12:19 . 2009-03-31 19:27 <DIR> d-------- c:\program files\porihimi
2009-03-28 12:14 . 2009-04-02 14:56 <DIR> d-------- c:\program files\sezepinu
2009-03-28 12:14 . 2009-04-02 14:56 <DIR> d-------- c:\program files\mitofeyi
2009-03-28 12:14 . 2009-04-02 14:56 <DIR> d-------- c:\program files\lovazepa
2009-03-26 09:54 . 2009-03-26 09:55 <DIR> d-------- c:\documents and settings\skarpuzi\Application Data\wootalyzer
2009-03-17 16:44 . 2009-03-17 16:44 <DIR> d-------- c:\documents and settings\Coinmach Corporation\Application Data\Move Networks
2009-03-14 13:32 . 2009-03-14 13:32 <DIR> d-------- c:\documents and settings\Coinmach Corporation\Application Data\TomTom
2009-03-14 13:32 . 2009-03-14 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TomTom
2009-03-14 13:28 . 2009-03-14 13:28 <DIR> d-------- c:\program files\TomTom DesktopSuite
2009-03-10 19:24 . 2008-04-13 14:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-03-10 19:24 . 2008-04-13 14:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-03-05 11:34 . 2009-03-05 11:34 <DIR> d-------- c:\windows\PrimoPDF4
2009-03-05 11:34 . 2009-03-05 11:34 <DIR> d-------- c:\program files\activePDF
2009-03-05 11:34 . 2006-12-11 17:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 04:48 602,400 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-04 04:47 9,884,704 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-04 04:45 57,476 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-04 04:45 134,432 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-04 04:41 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2009-04-04 03:59 --------- d-----w c:\program files\Microsoft
2009-04-04 03:46 11,168 ---ha-w c:\program files\ketogufi
2009-04-03 01:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-01 05:03 --------- d-----w c:\documents and settings\All Users\Application Data\UpdateVirusDefinitions
2009-03-31 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\LANDeskAV
2009-03-30 12:15 --------- d-----w c:\documents and settings\Coinmach Corporation\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
2009-03-05 16:00 23,944 ----a-w c:\documents and settings\skarpuzi\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 17:34 --------- d-----w c:\program files\HP
2009-03-01 17:31 --------- d-----w c:\program files\Common Files\HP
2009-03-01 17:31 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-02-26 12:16 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-12 03:31 --------- d-----w c:\documents and settings\Coinmach Corporation\Application Data\MSNInstaller
2009-02-11 19:00 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-11 15:40 --------- d-----w c:\program files\Windows Live SkyDrive
2009-02-11 15:36 --------- d-----w c:\program files\Common Files\Windows Live
2008-10-08 17:41 60,968 ----a-w c:\documents and settings\skarpuzi\GoToAssistDownloadHelper.exe
2008-08-22 13:15 60,744 ----a-w c:\documents and settings\skarpuzi\g2mdlhlpx.exe
2008-07-15 00:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070720080714\index.dat
2008-07-15 00:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071420080715\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-12-05 110592]
"LANDesk Antivirus"="c:\program files\LANDesk\LDClient\antivirus\LDav.exe" [2007-11-30 917504]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2008-10-08 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-813497703-725345543-10159\Scripts\Logon\0\0]
"Script"=timesync.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-813497703-725345543-11679\Scripts\Logon\0\0]
"Script"=timesync.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-813497703-725345543-11679\Scripts\Logon\1\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [2005-12-05 98304]
R2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [2007-11-29 155648]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [2008-10-08 118784]
R2 LDAVService;LANDesk(R) Antivirus;c:\program files\LANDesk\LDClient\Antivirus\AVService.exe [2008-10-08 426048]
R2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [2008-10-08 331776]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2008-10-08 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2008-10-08 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2008-10-08 3712]
.
Contents of the 'Scheduled Tasks' folder
2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
2009-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-813497703-725345543-11679.job
- c:\documents and settings\skarpuzi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-31 13:37]
2009-04-04 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2006-01-06 15:07]
.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Coinmach Corporation\Application Data\Mozilla\Firefox\Profiles\rgfz7vj1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 00:47:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1356)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\cba\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\LANDesk\LDClient\Antivirus\ScanningProcess.exe
c:\program files\LANDesk\LDClient\Antivirus\ScanningProcess.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-04 0:51:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-04 04:51:39
Pre-Run: 26,620,735,488 bytes free
Post-Run: 27,114,647,552 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
214 --- E O F --- 2009-03-15 16:02:31
ComboFix 09-04-03.01 - Coinmach Corporation 2009-04-04 0:41:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.567 [GMT -4:00]
Running from: c:\documents and settings\Coinmach Corporation\Desktop\ComboFix.exe
AV: LANDesk Antivirus client *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.
2009-04-04 00:10 . 2009-04-04 00:24 <DIR> d-------- c:\windows\SxsCaPendDel
2009-04-04 00:10 . 2009-04-04 00:11 <DIR> d-------- C:\ad609ea76b6ec3b41bdc7749d7ad
2009-04-03 21:34 . 2009-04-03 21:34 <DIR> d-------- c:\program files\vokovafo
2009-04-03 09:35 . 2009-04-03 09:35 <DIR> d-------- c:\program files\negiyedo
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\zoniraji
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\zezojare
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\tenoheze
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\polumubi
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\nodujohu
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\mahazudi
2009-04-02 14:56 . 2009-04-02 14:56 <DIR> d-------- c:\program files\layeleye
2009-04-01 21:56 . 2009-04-01 21:56 <DIR> d-------- c:\program files\kozewepu
2009-04-01 21:56 . 2009-04-01 21:56 <DIR> d-------- c:\program files\hohazevu
2009-04-01 13:26 . 2009-04-01 13:26 <DIR> d-------- C:\Cisco
2009-04-01 13:23 . 2007-06-07 11:45 10,035,669 --a------ C:\Cisco.zip
2009-04-01 12:35 . 2009-04-01 12:35 <DIR> d-------- c:\documents and settings\coeadmin\Application Data\Malwarebytes
2009-04-01 09:52 . 2009-04-01 09:52 <DIR> d-------- c:\documents and settings\coeadmin
2009-04-01 09:30 . 2009-04-01 09:30 <DIR> d-------- c:\documents and settings\skarpuzi\Application Data\Malwarebytes
2009-04-01 07:22 . 2009-04-01 07:22 <DIR> d-------- c:\program files\sojefiwi
2009-04-01 07:22 . 2009-04-01 07:22 <DIR> d-------- c:\program files\jobagiyu
2009-04-01 07:22 . 2009-04-01 07:22 <DIR> d-------- c:\program files\bosofifa
2009-03-31 16:44 . 2009-03-31 16:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 16:44 . 2009-03-31 16:44 <DIR> d-------- c:\documents and settings\Coinmach Corporation\Application Data\Malwarebytes
2009-03-31 16:44 . 2009-03-31 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 16:44 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 16:44 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-31 08:34 . 2009-03-31 19:28 <DIR> d-------- c:\program files\vikuzeja
2009-03-31 08:34 . 2009-03-31 08:34 <DIR> d-------- c:\program files\nuzeroto
2009-03-31 08:34 . 2009-03-31 08:34 <DIR> d-------- c:\program files\juguteto
2009-03-30 07:59 . 2009-03-31 19:28 <DIR> d-------- c:\program files\wibovaha
2009-03-30 07:59 . 2009-03-30 07:59 <DIR> d-------- c:\program files\sosagatu
2009-03-30 07:59 . 2009-04-03 15:21 <DIR> d-------- c:\program files\pilabuma
2009-03-28 12:19 . 2009-03-28 12:19 <DIR> d-------- c:\program files\yigutizo
2009-03-28 12:19 . 2009-03-28 12:40 <DIR> d-------- c:\program files\vebayene
2009-03-28 12:19 . 2009-03-31 19:27 <DIR> d-------- c:\program files\porihimi
2009-03-28 12:14 . 2009-04-02 14:56 <DIR> d-------- c:\program files\sezepinu
2009-03-28 12:14 . 2009-04-02 14:56 <DIR> d-------- c:\program files\mitofeyi
2009-03-28 12:14 . 2009-04-02 14:56 <DIR> d-------- c:\program files\lovazepa
2009-03-26 09:54 . 2009-03-26 09:55 <DIR> d-------- c:\documents and settings\skarpuzi\Application Data\wootalyzer
2009-03-17 16:44 . 2009-03-17 16:44 <DIR> d-------- c:\documents and settings\Coinmach Corporation\Application Data\Move Networks
2009-03-14 13:32 . 2009-03-14 13:32 <DIR> d-------- c:\documents and settings\Coinmach Corporation\Application Data\TomTom
2009-03-14 13:32 . 2009-03-14 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TomTom
2009-03-14 13:28 . 2009-03-14 13:28 <DIR> d-------- c:\program files\TomTom DesktopSuite
2009-03-10 19:24 . 2008-04-13 14:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-03-10 19:24 . 2008-04-13 14:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-03-05 11:34 . 2009-03-05 11:34 <DIR> d-------- c:\windows\PrimoPDF4
2009-03-05 11:34 . 2009-03-05 11:34 <DIR> d-------- c:\program files\activePDF
2009-03-05 11:34 . 2006-12-11 17:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 04:48 602,400 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-04 04:47 9,884,704 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-04 04:45 57,476 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-04 04:45 134,432 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-04 04:41 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2009-04-04 03:59 --------- d-----w c:\program files\Microsoft
2009-04-04 03:46 11,168 ---ha-w c:\program files\ketogufi
2009-04-03 01:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-01 05:03 --------- d-----w c:\documents and settings\All Users\Application Data\UpdateVirusDefinitions
2009-03-31 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\LANDeskAV
2009-03-30 12:15 --------- d-----w c:\documents and settings\Coinmach Corporation\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
2009-03-05 16:00 23,944 ----a-w c:\documents and settings\skarpuzi\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 17:34 --------- d-----w c:\program files\HP
2009-03-01 17:31 --------- d-----w c:\program files\Common Files\HP
2009-03-01 17:31 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-02-26 12:16 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-12 03:31 --------- d-----w c:\documents and settings\Coinmach Corporation\Application Data\MSNInstaller
2009-02-11 19:00 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-11 15:40 --------- d-----w c:\program files\Windows Live SkyDrive
2009-02-11 15:36 --------- d-----w c:\program files\Common Files\Windows Live
2008-10-08 17:41 60,968 ----a-w c:\documents and settings\skarpuzi\GoToAssistDownloadHelper.exe
2008-08-22 13:15 60,744 ----a-w c:\documents and settings\skarpuzi\g2mdlhlpx.exe
2008-07-15 00:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070720080714\index.dat
2008-07-15 00:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071420080715\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-12-05 110592]
"LANDesk Antivirus"="c:\program files\LANDesk\LDClient\antivirus\LDav.exe" [2007-11-30 917504]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2008-10-08 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-813497703-725345543-10159\Scripts\Logon\0\0]
"Script"=timesync.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-813497703-725345543-11679\Scripts\Logon\0\0]
"Script"=timesync.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-813497703-725345543-11679\Scripts\Logon\1\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [2005-12-05 98304]
R2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [2007-11-29 155648]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [2008-10-08 118784]
R2 LDAVService;LANDesk(R) Antivirus;c:\program files\LANDesk\LDClient\Antivirus\AVService.exe [2008-10-08 426048]
R2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [2008-10-08 331776]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2008-10-08 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2008-10-08 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2008-10-08 3712]
.
Contents of the 'Scheduled Tasks' folder
2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
2009-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-813497703-725345543-11679.job
- c:\documents and settings\skarpuzi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-31 13:37]
2009-04-04 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2006-01-06 15:07]
.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Coinmach Corporation\Application Data\Mozilla\Firefox\Profiles\rgfz7vj1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 00:47:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1356)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\cba\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\LANDesk\LDClient\Antivirus\ScanningProcess.exe
c:\program files\LANDesk\LDClient\Antivirus\ScanningProcess.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-04-04 0:51:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-04 04:51:39
Pre-Run: 26,620,735,488 bytes free
Post-Run: 27,114,647,552 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
214 --- E O F --- 2009-03-15 16:02:31