Combo fix log from above CFScript.txt file
ComboFix 08-01-11.1 - Tony Bailey 2008-01-13 16:02:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.645 [GMT -5:00]
Running from: C:\hjt\ComboFix.exe
Command switches used :: C:\hjt\CFScript.txt C:\hjt\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\SYSTEM32\gdlsaufa.dll
C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
C:\WINDOWS\SYSTEM32\tsilpikp.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\gdlsaufa.dll
C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
C:\WINDOWS\SYSTEM32\tsilpikp.ini
.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.
2008-01-12 12:28 . 2008-01-12 12:28 102,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-11 18:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 09:01 . 2008-01-06 09:01 75,840 --a------ C:\WINDOWS\SYSTEM32\gcvlwivg.dll
2008-01-05 00:03 . 2008-01-05 00:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-04 01:34 . 2008-01-04 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-04 00:50 . 2008-01-04 00:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-03 23:26 . 2008-01-12 12:01 6,500 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-01-03 23:25 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-01-03 23:24 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-01-03 23:24 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-01-03 23:24 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-01-03 23:24 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-01-03 23:23 . 2008-01-03 23:23 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-03 23:23 . 2008-01-04 00:56 <DIR> d-------- C:\Program Files\McAfee
2008-01-03 23:23 . 2008-01-03 23:25 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-03 23:08 . 2008-01-03 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 22:13 . 2008-01-03 22:14 <DIR> d-------- C:\pebuilder3110a
2008-01-03 21:58 . 2008-01-03 21:58 <DIR> d-------- C:\Program Files\Compaq
2007-12-31 22:49 . 2007-12-31 22:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 15:34 . 2008-01-04 20:30 <DIR> d-------- C:\Program Files\Sony
2007-12-30 08:51 . 2008-01-02 18:54 778,318 --a------ C:\WINDOWS\SYSTEM32\wltray.exe
2007-12-30 02:07 . 2007-12-30 02:07 <DIR> d-------- C:\Documents and Settings\Tony Bailey\Application Data\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:13 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:52 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks
2008-01-10 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-01-05 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:08 --------- d-----w C:\Program Files\eGames
2008-01-04 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-03 02:38 --------- d-----w C:\Program Files\Real
2008-01-03 02:38 --------- d-----w C:\Program Files\Logitech
2008-01-03 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-03 02:24 --------- d-----w C:\Program Files\Dell
2007-12-29 05:31 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\BitTorrent
2007-12-20 02:20 --------- d-----w C:\Program Files\MSN Messenger
2007-12-11 01:07 --------- d-----w C:\Program Files\UltimateBuddy
2007-12-07 19:53 --------- d-----w C:\Program Files\Neoteris
2007-12-04 03:01 --------- d-----w C:\Program Files\UltimateBet
2007-12-01 00:03 --------- d-----w C:\Program Files\Microsoft Money 2005
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 16:53 360,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-11_18.15.40.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 23:08:58 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 21:01:58 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 21:01:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 23:08:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-13 21:01:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 21:01:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 23:08:58 5,722,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 21:01:58 5,726,208 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-11 23:08:58 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 21:01:58 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-03 02:33:50 122,939 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
- 2008-01-11 22:54:24 41,624 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-01-12 17:04:43 41,624 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-01-11 22:54:24 316,158 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-01-12 17:04:43 316,158 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-11 17:50 1460560]
"Cache Cleaner"="C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2008-01-02 19:21 45056]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2008-01-02 19:21 57344]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2008-01-02 18:54 778318]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-29 20:08:38]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-29 23:53]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 04:23:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-04 04:23:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 16:03:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-13 16:03:56
ComboFix-quarantined-files.txt 2008-01-13 21:03:41
ComboFix2.txt 2008-01-13 20:13:49
ComboFix3.txt 2008-01-11 23:16:06
.
2008-01-09 13:07:16 --- E O F ---