my laptop is infected with the Antispyware.net problem. (wallpaper changed, slow running, constant pop up and redirection to antispyware.net). I did some research on this forum and downlowded the combofix.exe and ran it successfuly also ran hijackthis and logs are supplied below. What can/should i do next, the problem is still there
Thanx in advance.
Shahn
ComboFix 08-03-14.4 - soosh01 2008-03-15 19:09:48.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1759 [GMT -4:00]
Running from: C:\Documents and Settings\soosh01\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\BM0f8939b0.xml
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\MyWebEx
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atarm.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atas32.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasanot.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasctrl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasnt40.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atdl2006.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atkbctl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atlchat.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atnetext.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atpack.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\attp.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atwbxui5.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\ieatgpc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwm.ini
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmtrace.txt
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmupd.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\ratrace.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\raurl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\uilibres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\webexmgr.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\ddcdd.dll
C:\WINDOWS\system32\ddcdd.ini
C:\WINDOWS\system32\ddcdd.ini2
C:\WINDOWS\system32\hlaofqpu.dll
C:\WINDOWS\system32\mlksrjmu.ini
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\nnnkjhf.dll
C:\WINDOWS\system32\ojqadhjr.dll
C:\WINDOWS\system32\ttufbbgq.dll
C:\WINDOWS\system32\uiovmfky.dll
C:\WINDOWS\system32\umjrsklm.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wxgcgtdc.dll
C:\WINDOWS\system32\xesppxal.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-15 17:43 . 2008-03-15 17:50 1,366,741 ---hs---- C:\WINDOWS\system32\pyelovqx.ini
2008-03-15 17:38 . 2008-03-15 19:08 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-15 17:38 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-15 17:38 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-15 17:38 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-15 17:38 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-15 17:37 . 2008-03-15 17:39 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-15 17:37 . 2008-03-15 17:37 <DIR> d-------- C:\Documents and Settings\soosh01\Application Data\PC Tools
2008-03-15 17:27 . 2008-03-15 17:27 <DIR> d-------- C:\WINDOWS\FLEOK
2008-03-15 17:27 . 2008-03-15 17:27 <DIR> d-------- C:\Program Files\zango
2008-03-15 17:27 . 2008-03-15 17:27 <DIR> d-------- C:\Program Files\180solutions
2008-03-15 17:27 . 2008-03-15 17:27 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-15 17:27 . 2008-03-15 17:27 <DIR> d-------- C:\Program Files\180search assistant
2008-03-15 16:42 . 2008-03-15 16:42 <DIR> d-------- C:\Program Files\Webroot
2008-03-15 16:42 . 2008-03-15 16:42 <DIR> d-------- C:\Documents and Settings\soosh01\Application Data\Webroot
2008-03-15 16:42 . 2008-03-15 16:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-15 16:42 . 2008-03-15 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-15 16:42 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-03-15 16:42 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-03-15 16:42 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-03-15 16:42 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-03-15 16:42 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-03-15 16:39 . 2008-03-15 16:39 <DIR> d-------- C:\Program Files\stc
2008-03-15 16:39 . 2008-03-15 16:39 32,000 --a------ C:\WINDOWS\didduid.ini
2008-03-15 16:39 . 2008-03-15 16:39 12,800 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-03-15 11:06 . 2008-03-15 11:06 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-15 11:06 . 2008-03-15 11:06 28,672 --a------ C:\WINDOWS\shdocpl.dll
2008-03-15 11:06 . 2008-03-15 11:06 25,856 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-03-15 11:06 . 2008-03-15 11:06 25,856 --a------ C:\WINDOWS\shdocpe.dll
2008-03-15 11:06 . 2008-03-15 11:06 25,088 --a------ C:\WINDOWS\ntnut.exe
2008-03-15 11:06 . 2008-03-15 11:06 24,064 --a------ C:\WINDOWS\msapasrc.dll
2008-03-15 11:06 . 2008-03-15 11:06 21,504 --a------ C:\WINDOWS\123messenger.per
2008-03-15 11:06 . 2008-03-15 11:06 14,080 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-03-15 11:06 . 2008-03-15 11:06 10,240 --a------ C:\WINDOWS\msa64chk.dll
2008-03-15 11:06 . 2008-03-15 11:06 8,960 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-03-15 10:51 . 2008-03-15 10:51 63 --a------ C:\WINDOWS\system32\0cba18a2
2008-03-15 10:46 . 2008-03-15 10:46 90,544 --a------ C:\WINDOWS\system32\mgmrwmrv.exe
2008-03-15 10:46 . 2008-03-15 10:46 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-03-15 10:45 . 2008-03-15 10:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-15 10:45 . 2008-03-15 10:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-13 19:20 . 2008-03-13 19:20 <DIR> d-------- C:\test
2008-03-09 19:56 . 2008-03-09 20:11 <DIR> d-------- C:\Program Files\MyEclipse 6.0
2008-02-21 09:42 . 2008-02-21 09:42 <DIR> d-------- C:\temp\ext59420
2008-02-21 09:42 . 2008-02-21 09:42 <DIR> d-------- C:\temp
2008-02-21 09:04 . 2007-02-28 05:10 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-02-21 09:04 . 2007-02-28 05:08 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-02-21 09:04 . 2007-02-28 04:38 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-02-21 09:04 . 2007-02-28 04:38 2,015,744 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-02-21 08:50 . 2008-02-21 08:50 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-20 20:47 . 2008-02-20 20:47 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-19 20:57 . 2008-02-19 20:57 <DIR> d-------- C:\Documents and Settings\soosh01\Application Data\Helios
2008-02-18 19:53 . 2008-02-18 19:53 <DIR> d-------- C:\Documents and Settings\soosh01\Application Data\RAI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 22:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-03-15 22:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-03-15 21:51 --------- d-----w C:\Program Files\Yahoo!
2008-03-14 19:44 --------- d-----w C:\Program Files\Trillian
2008-03-09 01:17 --------- d-----w C:\Documents and Settings\soosh01\Application Data\VMware
2008-02-09 00:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-03 18:57 --------- d-----w C:\Documents and Settings\soosh01\Application Data\Skype
2008-02-03 04:22 --------- d-----w C:\Documents and Settings\soosh01\Application Data\GARMIN
2008-01-19 00:00 --------- d-----w C:\Program Files\CA
2008-01-18 23:45 --------- d-----w C:\Documents and Settings\soosh01\Application Data\FileZilla
2005-09-02 16:03 28,672 -c--a-w C:\Documents and Settings\soosh01\atwbxdet.dll
2004-03-11 18:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 12:54 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="C:\Program Files\CA\eTrustITM\realmon.exe" [2007-01-16 22:27 407632]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]
"SDJobCheck"="triggusr.exe" [2004-04-16 14:32 32768 C:\Program Files\CA\Unicenter Software Delivery\BIN\triggusr.exe]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]
C:\Program Files\CA\DSM\Bin\cfwlogon.dll 2007-01-20 15:26 27664 C:\Program Files\CA\DSM\bin\cfWlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rcHostExt]
C:\Program Files\CA\DSM\Bin\rcLoginExt.dll 2007-01-20 15:27 11792 C:\Program Files\CA\DSM\bin\rcLoginExt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"C:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"C:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 FSM;CA File System Monitor;C:\WINDOWS\system32\drivers\fsmnt.sys [2003-11-21 12:29]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-05-25 20:10]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2004-09-30 13:42]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-09-30 13:43]
R3 ZetBus;Zetera Virtual Bus;C:\WINDOWS\system32\DRIVERS\ZetBus.sys [2006-04-19 11:34]
S0 ZetSFD;ZetSFD;C:\WINDOWS\system32\DRIVERS\ZetSFD.sys [2006-04-19 11:34]
S1 CAFCR;CA File Change Recorder;C:\WINDOWS\system32\drivers\cafcr.sys [2004-07-05 11:54]
S2 AMBroker;Access Manager Configuration Service;"C:\Program Files\AccessManager\Client\AMBroker.exe" [2004-11-03 10:45]
S2 LogWatch;Event Log Watch;"C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 17:06]
S2 Mapsvc;User Name Mapping;C:\SFU\Mapper\mapsvc.exe [2003-11-08 10:42]
S2 NkPtpEnumP2;NkPtpEnumP2;"C:\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" []
S2 OFADriver;CA Backup Agent for Open Files Driver;C:\WINDOWS\system32\drivers\ofant.sys [2004-07-21 20:11]
S2 SFSZ;DataPlow SFS for Zetera Storage Devices;C:\WINDOWS\system32\drivers\sfsz.sys [2006-04-18 19:54]
S2 Sygman;SSA Integration Manager;"C:\Program Files\AccessManager\Client\sygman.exe" [2004-11-03 10:48]
S2 zzInterix;Interix Subsystem Startup;C:\WINDOWS\system32\PSXRUN.EXE [2007-07-02 19:49]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 18:29]
S3 CA BrightStor ARCserve Backup for Laptops & Desktops Scheduler;CA BrightStor ARCserve Backup for Laptops & Desktops Scheduler;C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\ScheduleSrvc.exe [2004-10-20 08:38]
S3 CA Unicenter NSM Systems Performance Agent for UAM;CA Unicenter NSM Systems Performance Agent for UAM;"C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe" [2003-10-07 12:15]
S3 caf;CA DSM r11 Common Application Framework.;"C:\Program Files\CA\DSM\bin\caf.exe" service []
S3 Client for NFS;Client for NFS;C:\WINDOWS\system32\nfsclnt.exe [2003-11-08 10:42]
S3 DAPlugin;Visual Insight DA Plugin;C:\Program Files\AccessManager\Client\DAPlugin.exe [2004-11-03 10:56]
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2004-10-08 09:48]
S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 16:26]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2004-09-30 13:43]
S3 NfsRdr;NfsRdr;C:\WINDOWS\system32\drivers\nfsrdr.sys [2003-11-08 10:42]
S3 OpenFileAgent;CA Backup Agent for Open Files;"C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\BAOF\Ofant.exe" [2004-07-21 20:10]
S3 Portmap;Portmap;C:\WINDOWS\system32\drivers\portmap.sys [2003-11-08 10:42]
S3 PsShutdownSvc;PsShutdown;C:\WINDOWS\System32\PSSDNSVC.EXE [2007-06-01 12:23]
S3 PsxDrv;PsxDrv;C:\WINDOWS\system32\drivers\PSXDRV.SYS [2003-11-08 10:45]
S3 rcSmCard;rcSmCard;C:\WINDOWS\system32\DRIVERS\rcSmCard.sys [2007-01-20 15:27]
S3 RCSpyDDML;RCSpyDDML;C:\WINDOWS\system32\DRIVERS\RCSpyMP.sys [2004-06-08 10:31]
S3 rcVidCap;rcVidCap;C:\WINDOWS\system32\DRIVERS\rcVidMpt.sys [2007-01-20 15:27]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-08-16 15:02]
S3 RpcXdr;RpcXdr;C:\WINDOWS\system32\drivers\rpcxdr.sys [2003-11-08 10:42]
S3 sp_spi_da;Visual Insight Dial Analysis;C:\Program Files\AccessManager\SMOC\spi_da.exe [2004-10-15 18:40]
S3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2006-05-11 15:06]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;C:\WINDOWS\system32\DRIVERS\LSWLNDS.sys []
S3 Zetera;Zetera;C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe [2006-04-19 11:28]
S3 ZetMPD;ZetMPD;C:\WINDOWS\system32\DRIVERS\ZetMPD.sys [2006-04-19 11:34]
S4 CA_LIC_CLNT;CA License Client;"C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe" [2005-01-14 19:05]
S4 CronService;Windows Cron Service;C:\SFU\common\cron.exe [2003-11-08 10:46]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66ae4350-bea8-11da-98ce-005056c00008}]
\Shell\AutoRun\command - D:\LaunchU3.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 19:13:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\DMPrimer]
"ImagePath"="\"C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe\" -DMPRIMER_SERVICE_:"
.
Completion time: 2008-03-15 19:14:30
ComboFix-quarantined-files.txt 2008-03-15 23:14:11
***************
**********HIJACKTHIS LOG******************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:27, on 2008-03-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.ca.com/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = usilis03.ca.com:80
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02d.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: BrightStor ARCserve Backup for Laptops & Desktops Auto TCPIP.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in NewsGator Inbox - c:\progra~1\newsga~1\addref.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02d.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Subscribe in NewsGator - {82B02F23-47B5-4e6c-8A75-8E0527D73989} - C:\Program Files\NewsGator\NGIEExt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Helpdesk - {B2E6B973-9F6A-4697-8BDD-7D47F3EDF7FA} - http://helpdesk.ca.com/count.html (file missing) (HKCU)
O9 - Extra button: CA Portal - {C76AFA33-E4E3-4363-9CD9-64C3D6242896} - http://caportal.ca.com (file missing) (HKCU)
O9 - Extra button: SalesForce - {DDD19EA1-376D-4CF4-8613-A8BD04C858B2} - http://salesforce.ca.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://canet.ca.com
O15 - Trusted Zone: http://hrreports.ca.com
O15 - Trusted Zone: http://hrreportsft.ca.com
O15 - Trusted Zone: http://insight.ca.com
O15 - Trusted Zone: http://insightft.ca.com
O15 - Trusted Zone: http://mrm.ca.com
O15 - Trusted Zone: http://supportreports.ca.com
O15 - Trusted Zone: http://usilws19.ca.com
O15 - Trusted Zone: http://*.insight
O15 - Trusted Zone: http://*.insightft
O15 - Trusted Zone: http://*.mrm
O15 - Trusted Zone: http://*.supportreports
O15 - Trusted Zone: http://*.usilws19
O15 - Trusted Zone: http://hrreports.ca.com (HKLM)
O15 - Trusted Zone: http://hrreportsft.ca.com (HKLM)
O15 - Trusted Zone: http://insight.ca.com (HKLM)
O15 - Trusted Zone: http://insightft.ca.com (HKLM)
O15 - Trusted Zone: http://mrm.ca.com (HKLM)
O15 - Trusted Zone: http://supportreports.ca.com (HKLM)
O15 - Trusted Zone: http://usilws19.ca.com (HKLM)
O15 - Trusted Zone: http://*.insight (HKLM)
O15 - Trusted Zone: http://*.insightft (HKLM)
O15 - Trusted Zone: http://*.mrm (HKLM)
O15 - Trusted Zone: http://*.supportreports (HKLM)
O15 - Trusted Zone: http://*.usilws19 (HKLM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...l?noreloadredir
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....00719/sb02d.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca.com
O17 - HKLM\Software\..\Telephony: DomainName = ca.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ca.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\DSM\Bin\rcLoginExt.dll
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CA BrightStor ARCserve Backup for Laptops & Desktops Scheduler - Computer Associates International, Inc. - C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\ScheduleSrvc.exe
O23 - Service: CA Unicenter NSM Systems Performance Agent for UAM - Unknown owner - C:\WINDOWS\AMO40\CWS\PAgent\capmuamagt.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: DM Primer (DMPrimer) - Computer Associates - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
O23 - Service: CA Backup Agent for Open Files (OpenFileAgent) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\BAOF\Ofant.exe
O23 - Service: PsShutdown (PsShutdownSvc) - Systems Internals - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: Unicenter Remote Control Host (rcHost) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Remote Control\rcHost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe
O23 - Service: SSA Integration Manager (Sygman) - MCI, Inc. - C:\Program Files\AccessManager\Client\sygman.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Zetera - Zetera Corporation - C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
--
End of file - 12396 bytes