After running webroot AntiSpyware I saw that there were 3 trojans but after quarentine and deleting them a re-run still shows them in the system.
VIRTUM-GEN
DLOADR-BEW
BCKDR-QJL
Getting error REGT is not recognized as an internal or external command operable program or batch file when trying to run combofix.
ComboFix 07-11-01.1** - Tony 2007-11-03 0:11:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.705 [GMT -4:00]
Running from: C:\Documents and Settings\Tony\My Documents\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Tony\Application Data\ICROSO~1.NET
C:\Documents and Settings\Tony\Application Data\winantiviruspro2007freeinstall[1].exe
C:\Program Files\wintouch
C:\Program Files\wintouch\wintouch.cfg
C:\windows\Casino.ico
C:\windows\cookies.ini
C:\windows\dat.txt
C:\windows\Free Online Dating.ico
C:\windows\rs.txt
C:\windows\Spyware Remover.ico
C:\windows\system32\amirlout.dll
C:\windows\system32\apkdewso.exe
C:\windows\system32\app.exe
C:\windows\system32\asqdhhdk.dll
C:\windows\system32\bhpaqbkc.dll
C:\windows\system32\bkapengl.exe
C:\windows\system32\bszip.dll
C:\windows\system32\bxutolog.exe
C:\WINDOWS\system32\ckbqaphb.ini
C:\windows\system32\debbllbu.dll
C:\windows\system32\dgdimrav.dll
C:\windows\system32\drivers\core.cache.dsk
C:\windows\system32\drivers\core.sys
C:\windows\system32\drivers\npf.sys
C:\windows\system32\fnts~1
C:\windows\system32\fnts~1\F?nts\
C:\windows\system32\fxyxegxq.exe
C:\windows\system32\hcgwkudo.exe
C:\windows\system32\igkmwvnp.exe
C:\WINDOWS\system32\jajphkkj.ini
C:\windows\system32\jcicwkkl.exe
C:\windows\system32\jimqymdp.exe
C:\windows\system32\jixockvy.exe
C:\windows\system32\jkkhpjaj.dll
C:\WINDOWS\system32\kdhhdqsa.ini
C:\windows\system32\kewjqlsf.exe
C:\windows\system32\lamrsfcu.exe
C:\windows\system32\mkryeiyp.exe
C:\windows\system32\mrfyrdpy.dll
C:\windows\system32\nhqnvpgv.exe
C:\windows\system32\niydnmhg.exe
C:\WINDOWS\system32\nnppo.bak1
C:\WINDOWS\system32\nnppo.bak2
C:\WINDOWS\system32\nnppo.ini
C:\WINDOWS\system32\nnppo.ini2
C:\WINDOWS\system32\nnppo.tmp
C:\WINDOWS\system32\npuptiqn.ini
C:\windows\system32\nqitpupn.dll
C:\windows\system32\nsedsarm.exe
C:\windows\system32\packet.dll
C:\windows\system32\pthreadVC.dll
C:\WINDOWS\system32\tuolrima.ini
C:\WINDOWS\system32\ubllbbed.ini
C:\windows\system32\wnfrnlys.exe
C:\windows\system32\wpcap.dll
C:\windows\system32\xajagalo.exe
C:\WINDOWS\system32\ypdryfrm.ini
C:\windows\wr.txt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\DomainService
-------\nm
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.
2007-11-03 00:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 08:35 <DIR> d-------- C:\VundoFix Backups
2007-11-02 00:12 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-02 00:11 <DIR> d-------- C:\Program Files\AskSBar
2007-11-02 00:04 <DIR> d-------- C:\Program Files\Webroot
2007-11-02 00:04 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\Webroot
2007-11-02 00:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-02 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-02 00:04 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-02 00:04 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-02 00:04 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-02 00:04 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-02 00:04 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-08 07:03 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\Avanquest
2007-10-07 21:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VCOM
2007-10-07 21:46 <DIR> dr-hs---- C:\_Backup.RC
2007-10-07 21:46 <DIR> d--h----- C:\_Backup
2007-10-07 21:41 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\VCOM
2007-10-07 21:36 <DIR> d-------- C:\Program Files\VCOM
2007-10-05 00:10 <DIR> d-------- C:\Program Files\Incomplete
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 11:32 --------- d-----w C:\Program Files\Ouqbukyc
2007-11-02 03:46 --------- d-----w C:\Program Files\LimeWire
2007-10-09 06:42 --------- d-----w C:\Documents and Settings\Tony\Application Data\WholeSecurity
2007-10-08 02:08 --------- d-----w C:\Program Files\Logitech
2007-10-08 02:05 --------- d-----w C:\Program Files\NAVNT
2007-10-08 02:03 --------- d-----w C:\Program Files\Symantec
2007-10-08 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-08 02:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-08 02:00 --------- d-----w C:\Program Files\Notes
2007-10-08 01:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 22:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 04:16 --------- d-----w C:\Program Files\GameSpy Arcade
2007-09-30 00:46 --------- d-----w C:\Program Files\qzuzkdgl
2007-09-29 13:14 --------- d-----w C:\Documents and Settings\Tony\Application Data\System Tweaker
2007-09-28 06:30 --------- d-----w C:\Program Files\Pandora Recovery
2007-09-28 05:43 --------- d-----w C:\Documents and Settings\Tony\Application Data\PandoraRecovery
2007-09-27 03:36 --------- d-----w C:\Program Files\Microsoft Games
2007-09-27 02:59 --------- d-----w C:\Program Files\DivX
2007-09-16 18:18 --------- d-----w C:\Program Files\Java
2007-09-15 12:31 --------- d-----w C:\Program Files\iTunes
2007-09-15 12:30 --------- d-----w C:\Program Files\iPod
2007-09-15 12:23 --------- d-----w C:\Program Files\Apple Software Update
2007-09-10 23:09 --------- d-----w C:\Program Files\ATI Technologies
2007-09-06 05:04 --------- d-----w C:\Program Files\Privacy Mantra 2.04
2007-09-06 05:03 --------- d-----w C:\Program Files\Privacy Mantra 1.33
2007-09-06 02:27 --------- d-----w C:\Program Files\BulletProofSoft.com
2007-01-21 22:43 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2004-12-23 02:23 21,848 -c-ha-w C:\Documents and Settings\Tony\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2007-11-02 00:11 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-11-02 00:11 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-11-02 00:11 267592]
[HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-11-02 00:11 267592]
[HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 03:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"<NO NAME>"="C:\Program Files\Western Digital\Data Lifeguard Tools\DataLifeguard.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Checkpoint Notify"="C:\Program Files\VCOM\Fix-It\CheckpointNotify.exe"
"VundoFix"="C:\Documents and Settings\Tony\My Documents\vundofix.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"=1 (0x1)
"DisableCurrentUserRunOnce"=1 (0x1)
"DisableCurrentUserRun"=1 (0x1)
"DisableLocalMachineRunOnce"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoTrayNotify"=1 (0x1)
"NoStartMenuMFUprogramsList"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoFavoritesMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"imonNT"=2 (0x2)
"BlackICE"=2 (0x2)
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\windows\system32\Drivers\SSFS0BB8.SYS
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\windows\system32\Drivers\SSFS0BB9.SYS
R1 lusbaudio;Logitech USB Microphone;C:\windows\system32\drivers\lvsound2.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 QCAbsee;Logitech QuickCam Web(PID_0801);C:\windows\system32\DRIVERS\LVCA.sys
R3 smbusp;Intel® SMBus 2.0 Driver;C:\windows\system32\DRIVERS\smb.sys
S0 bthex;bthex;C:\windows\system32\drivers\bthex.sys
S1 atinnt;atinnt;C:\windows\system32\drivers\atinnt.sys
S1 ks2k;ks2k;C:\windows\system32\drivers\ks2k.sys
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\windows\system32\Drivers\ALIEHCI.sys
S2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
S2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
S2 MKEUSB01;%MKEUSB01.SvcDesc%;C:\windows\system32\Drivers\MkeUsb01.sys
S3 aliroothub;USB 2.0 Root Hub;C:\windows\system32\DRIVERS\AliRtHub.sys
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\windows\system32\DRIVERS\ipsecw2k.sys
S3 MLFILEM;MLFILEM;\??\C:\windows\system32\drivers\MLFILEM.SYS
S3 usbprint;Microsoft USB PRINTER Class;C:\windows\system32\DRIVERS\usbprint.sys
S4 AutoExNT;AutoExNT;C:\windows\system32\AutoExNT.Exe
S4 Fix-It Task Manager;Fix-It Task Manager;C:\PROGRA~1\VCOM\Fix-It\mxtask.exe -Service
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbc287d4-67c1-11db-8203-00104b625209}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall
.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 02:01:07 C:\windows\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2007-11-03 00:25:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-03 0:28:06 - machine was rebooted
.
--- E O F ---
HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 12:33:41 AM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\windows\Explorer.EXE
C:\windows\system32\devldr32.exe
C:\windows\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\cidaemon.exe
C:\windows\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.yahoo.comR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
N1 - Netscape 4: user_pref("browser.startup.homepage", "
http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Checkpoint Notify] "C:\Program Files\VCOM\Fix-It\CheckpointNotify.exe"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Tony\My Documents\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] "C:\Program Files\Western Digital\Data Lifeguard Tools\DataLifeguard.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akama...meInstaller.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.mi...b?1191895906018O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - (no file)
O20 - Winlogon Notify: NavLogon - C:\windows\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Unknown owner - C:\Program Files\Network ICE\BlackICE-3-1\blackd.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Edited by tonytattoo, 02 November 2007 - 10:37 PM.