ComboFix 08-03-29.1 - Raj 2008-03-30 12:17:54.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.531 [GMT -4:00] Running from: C:\Documents and Settings\Raj\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Raj\Desktop\trojan clenaing sw\mar-30-2008\CFScript.txt * Created a new restore point * Resident AV is active [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\ntnut.exe C:\WINDOWS\system32\ntnut32.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Rabio C:\Program Files\180search assistant C:\Program Files\180search assistant\180sa.exe C:\Program Files\180search assistant\sau.exe C:\Program Files\180searchassistant C:\Program Files\180searchassistant\saap.exe C:\Program Files\180searchassistant\sac.exe C:\Program Files\180solutions C:\Program Files\180solutions\sais.exe C:\Program Files\seekmo C:\Program Files\seekmo\seekmohook.dll C:\Program Files\Sysmnt C:\Program Files\Sysmnt\Ssmgr.exe C:\Program Files\zango C:\Program Files\zango\zango.exe C:\WINDOWS\180ax.exe C:\WINDOWS\2020search.dll C:\WINDOWS\2020search2.dll C:\WINDOWS\bjam.dll C:\WINDOWS\bokja.exe C:\WINDOWS\cdsm32.dll C:\WINDOWS\default.htm C:\WINDOWS\mspphe.dll C:\WINDOWS\mssvr.exe C:\WINDOWS\ntnut.exe C:\WINDOWS\saiemod.dll C:\WINDOWS\salm.exe C:\WINDOWS\stcloader.exe C:\WINDOWS\swin32.dll C:\WINDOWS\system32\msixu.dll C:\WINDOWS\system32\ntnut32.exe C:\WINDOWS\system32\wer8274.dll C:\WINDOWS\TEMP\salm.exe C:\WINDOWS\updatetc.exe C:\WINDOWS\voiceip.dll . ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 ))))))))))))))))))))))))))))))) . 2008-03-29 23:10 . 2008-03-29 23:10 d-------- C:\Program Files\stc 2008-03-29 23:08 . 2008-03-29 23:08 11,264 --a------ C:\WINDOWS\system32\shdocpe.dll 2008-03-29 23:06 . 2008-03-29 23:06 d-------- C:\_OTMoveIt 2008-03-29 22:41 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-03-29 22:40 . 2008-03-29 22:40 d-------- C:\Program Files\Common Files\Java 2008-03-23 20:52 . 2008-03-23 22:11 d-------- C:\WINDOWS\system32\ActiveScan 2008-03-23 20:52 . 2008-03-23 20:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-03-23 20:52 . 2008-03-23 20:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-23 20:52 . 2008-03-23 20:52 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-03-23 19:21 . 2008-03-23 19:21 d-------- C:\Documents and Settings\Raj\Application Data\Grisoft 2008-03-23 19:20 . 2008-03-23 19:20 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-23 19:20 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-03-23 00:23 . 2008-03-23 00:45 d-------- C:\Program Files\Windows Live Safety Center 2008-03-22 16:39 . 2008-03-30 02:10 4,492 --a------ C:\WINDOWS\system32\Config.MPF 2008-03-22 16:37 . 2008-03-22 16:37 d-------- C:\Program Files\McAfee.com 2008-03-22 16:37 . 2008-03-22 16:39 d-------- C:\Program Files\McAfee 2008-03-22 16:37 . 2008-03-22 16:38 d-------- C:\Program Files\Common Files\McAfee 2008-03-22 16:37 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-03-22 16:37 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-03-22 16:37 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-03-22 16:37 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-03-22 16:37 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-03-22 16:37 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-03-22 16:26 . 2008-03-22 16:26 d-------- C:\WINDOWS\McAfee.com 2008-03-22 16:19 . 2008-03-22 16:39 d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-03-22 03:40 . 2008-03-22 20:52 d-------- C:\Program Files\Bat 2008-03-16 18:31 . 2008-03-16 18:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-16 18:31 . 2008-03-16 18:31 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-13 03:52 . 2008-03-13 03:52 d-------- C:\Program Files\Common Files\AnswerWorks 4.0 2008-02-15 03:05 . 2008-02-15 03:05 d-------- C:\Documents and Settings\Raj\Workspaces 2008-02-15 03:00 . 2008-02-15 03:00 9,580 --a------ C:\WINDOWS\vpd.properties 2008-02-15 02:34 . 2004-09-16 04:14 13,600 --------- C:\WINDOWS\system32\sasperf.dll 2008-02-02 22:48 . 2008-02-02 22:48 d-------- C:\Program Files\Common Files\BCL Technologies 2008-02-02 22:48 . 2008-02-02 22:48 d-------- C:\Documents and Settings\Raj\Application Data\Nitro PDF . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-14 11:48 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor 2008-03-30 03:08 20,480 ----a-w C:\WINDOWS\system32\SIPSPI32.dll 2008-03-30 02:41 --------- d-----w C:\Program Files\Java 2008-03-24 21:20 41,986 ----a-w C:\Documents and Settings\Raj\Application Data\wklnhst.dat 2008-03-24 02:00 --------- d-----w C:\Program Files\Winamp 2008-03-24 01:39 --------- d-----w C:\Program Files\QuickTime 2008-03-24 01:36 --------- d-----w C:\Program Files\Microsoft Works 2008-03-24 01:31 --------- d-----w C:\Program Files\iTunes 2008-03-24 01:27 --------- d-----w C:\Program Files\Google 2008-03-24 01:27 --------- d-----w C:\Program Files\Digital Line Detect 2008-03-24 01:27 --------- d-----w C:\Program Files\Dell Support 2008-03-22 18:43 --------- d-----w C:\Documents and Settings\Raj\Application Data\McAfee 2008-03-13 07:52 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-13 07:47 --------- d-----w C:\Program Files\TurboTax 2008-02-15 06:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SAS 2008-02-14 22:40 --------- d-----w C:\Documents and Settings\Raj\Application Data\ArcSoft 2008-02-06 22:04 --------- d-----w C:\Program Files\SAS 2008-01-28 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell 2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys 2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe 2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll 2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll 2007-10-01 06:27 71,232 ----a-w C:\Documents and Settings\Raj\Application Data\GDIPFONTCACHEV1.DAT 2005-11-15 07:11 288,981 ----a-w C:\WINDOWS\Fonts\TSC17.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 22:57 395776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 06:04 59392] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 10:50 139264] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 339968 C:\WINDOWS\stsystra.exe] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920] "BuildBU"="c:\dell\bldbubg.exe" [2005-11-08 19:20 61440] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 00:20 278528] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57 282624] "MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 14:29 35328] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941] "Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" [2004-09-02 17:51 221184] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696] America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-11-08 19:44:07 156784] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-11-08 19:38:53 24576] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24 237568] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360] TotalMedia Backup & Record Monitor.lnk - C:\Program Files\ArcSoft\Software Suite\TotalMedia Backup & Record\uBBMonitor.exe [2007-12-28 22:13:51 266240] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme "DisableTaskMgr"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "C:\\Program Files\\America Online 9.0\\waol.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Documents and Settings\\utorrent.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R2 SAS Lev1 MS - EMiner;SAS Lev1 MS - EMiner;"C:\Program Files\SAS\SAS 9.1\sas.exe" -servicename "SAS Lev1 MS - EMiner" -config "C:\SAS\EMiner\Lev1\SASMain\MetadataServer\sasv9_MetadataServer.cfg" [] R2 SAS Lev1 OB - EMiner;SAS Lev1 OB - EMiner;"C:\Program Files\SAS\SAS 9.1\objspawn.exe" -runas "SAS Lev1 OB - EMiner" [] R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys [2005-02-25 02:20] S2 0255931206218263mcinstcleanup;McAfee Application Installer Cleanup (0255931206218263);C:\DOCUME~1\Raj\LOCALS~1\Temp\[u]0[/u]25593~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [] S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-02-21 17:26] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2004-11-02 17:12] . Contents of the 'Scheduled Tasks' folder "2008-03-28 21:01:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-03-22 20:37:38 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' "2008-03-22 20:37:38 C:\WINDOWS\Tasks\McQcTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-30 12:21:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-30 12:21:42 ComboFix-quarantined-files.txt 2008-03-30 16:21:39 ComboFix2.txt 2008-03-30 05:56:12 Pre-Run: 2,605,473,792 bytes free Post-Run: 2,590,785,536 bytes free . 2008-03-14 07:02:53 --- E O F ---