ComboFix 08-01-15.4 - Administrator 2008-01-15 9:03:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.49 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\microsoft\internet explorer\Desktop.htt
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\Monique\Application Data\install.dat
C:\Program Files\kernel
C:\Program Files\Temporary
C:\WINDOWS\17PHolmes27.exe
C:\WINDOWS\Help\agt037b.hlp
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\PAA17.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\max1d11643v.exe
C:\WINDOWS\system32\mscore.dll
C:\WINDOWS\system32\shift.exe.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_LRITO12E5-5FA8
-------\LEGACY_LRITO30C4-2B5A
-------\LEGACY_LRITO658B-1C68
-------\LEGACY_PAA17
-------\LEGACY_SMTPDRV
-------\Driver
-------\lrito12e5-5fa8
-------\lrito30c4-2b5a
-------\lrito658b-1c68
-------\smtpdrv
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.
2008-01-15 07:08 . 2008-01-15 07:26
d-------- C:\Program Files\SpyKillerPro
2008-01-14 21:28 . 2008-01-14 21:28 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 21:27 . 2008-01-15 07:27 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-14 21:27 . 2008-01-14 21:27 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-14 17:20 . 2008-01-14 17:20 d-------- C:\Program Files\Lavasoft
2008-01-14 17:20 . 2008-01-14 17:36 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 12:47 . 2008-01-14 17:05 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 10:20 . 2008-01-14 10:19 14,848 --a------ C:\Documents and Settings\Administrator\ntuser.exe
2008-01-14 10:20 . 2008-01-15 09:23 6,144 --a------ C:\Documents and Settings\Administrator\msftp.dll
2008-01-14 10:06 . 2008-01-14 10:07 d-------- C:\Program Files\ANI
2008-01-14 10:05 . 2008-01-14 10:05 d-------- C:\Program Files\D-Link
2008-01-14 10:05 . 2008-01-14 10:05 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-14 09:04 . 2008-01-14 09:04 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-14 09:03 . 2008-01-14 09:03 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-09 13:26 . 2008-01-09 14:49 d-------- C:\Documents and Settings\Monique\Application Data\MSN6
2008-01-09 13:26 . 2008-01-09 13:26 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-07 22:13 . 2008-01-07 22:13 d-------- C:\Program Files\Google
2007-12-20 10:10 . 2007-12-20 10:10 d-------- C:\Program Files\Coupons
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 15:24 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-15 15:23 6,144 ----a-w C:\WINDOWS\system32\msftp.dll
2008-01-15 15:14 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-01-15 01:08 90,112 ----a-w C:\WINDOWS\DUMPd41a.tmp
2008-01-14 23:34 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-14 19:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 16:19 14,848 ----a-w C:\WINDOWS\system32\drivers\win32.exe
2008-01-14 16:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
1998-12-09 09:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 09:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 09:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 09:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 09:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 09:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
[color=blue]Infected C:\WINDOWS\system32\svchost.exe hex repaired[/color]
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}]
2008-01-15 07:06 53248 --a------ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ieobj.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"auto"="C:\WINDOWS\system32\drivers\win32.exe" [2008-01-14 10:19 14848]
"ntuser"="C:\Documents and Settings\Administrator\ntuser.exe" [2008-01-14 10:19 14848]
"SpyKillerPro"="C:\Program Files\SpyKillerPro\SpyKillerPro.exe" [ ]
"quartz"="C:\WINDOWS\System32\quartz.exe" [ ]
"dmime"="C:\WINDOWS\System32\dmime.exe" [ ]
"anti_troj"="C:\WINDOWS\system32\anti_troj.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1130356250\EE\AOLHostManager.exe" [2004-11-03 15:03 125528]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 08:40 34904]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 15:33 99480]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-16 19:27 98304]
"D-Link RangeBooster G WDA-2320"="C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2007-08-29 15:15 1662976]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 11:49 49152]
"Windows Framework"="C:\WINDOWS\system32\scvh0st.exe" [ ]
"mmnext06"="C:\WINDOWS\trjdwnl.dll" [ ]
"shellbn"="C:\WINDOWS\shlext32.exe" [ ]
"Tapicfg.exe"="tapicfg.exe" []
"anti_troj"="C:\WINDOWS\system32\anti_troj.exe" [ ]
"vmlib"="vmlib.exe" []
"cssrss.exe"="cssrss.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{24E31EA9-FCE2-404F-BD80-20543565D946}"= C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~~install.dll [2008-01-15 07:06 14336]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lty48.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdh62.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-12 06:17 50776 C:\Program Files\America Online 9.0\AOL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2004-10-20 08:40 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 08:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a------ 2004-04-05 15:33 99480 C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-16 19:27 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-16 19:26 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe
R0 SC247XF;SC247XF;C:\WINDOWS\system32\DRIVERS\SC247XF.sys [2001-09-13 18:47]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2007-05-24 18:15]
R3 JSWSCIMD;jswscimd Service;C:\WINDOWS\system32\DRIVERS\jswscimd.sys [2007-07-25 08:52]
S0 Lty48;Lty48;C:\WINDOWS\system32\Drivers\Lty48.sys []
S1 kcp;kcp;C:\WINDOWS\system32\drivers\kcp.sys []
S2 oriieke37501509;oriieke37501509;C:\WINDOWS\system32\oriieke37501509.sys []
S3 jswpsapi;Jumpstart Wifi Protected Setup;C:\Program Files\D-Link\RangeBooster G WDA-2320\JSWUtil\jswpsapi.exe [2007-08-02 12:05]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys []
S3 SpyKillerProFilter;1/15/20087:08:53 AM;C:\Program Files\SpyKillerPro\SSS.sys []
S3 Wdh62;Wdh62;C:\WINDOWS\System32\drivers\Wdh62.sys []
S3 Winacusb;Winacusb;C:\WINDOWS\system32\DRIVERS\winacusb.sys [2001-12-14 12:22]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 09:24:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-15 9:31:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 15:31:31
.
2008-01-15 09:02:26 --- E O F ---