I hope I did everything right.
SDFix report:
SDFix: Version 1.219 Run by Soleil Robichaud on Sun 08/24/2008 at 07:57 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\g.bat - Deleted
C:\WINDOWS\Help\svchost.exe - Deleted
C:\WINDOWS\system32\i - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-24 20:03:43
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
C:\WINDOWS\Fonts\wmsncs.exe [1704] 0xFF9DA4C0
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 7 Aug 2008 126,823 ..SHR --- "C:\WINDOWS\Fonts\wmsncs.exe"
Thu 7 Aug 2008 126,823 ..SHR --- "C:\Program Files\Common Files\System\wmsncs.exe"
Mon 4 Jun 2007 20,809 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti3.tmp"
Thu 7 Aug 2008 126,823 ..SHR --- "C:\WINDOWS\system32\wins\wmsncs.exe"
Wed 13 Aug 2008 21,504 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0001.tmp"
Sun 10 Aug 2008 28,672 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0002.tmp"
Sun 10 Aug 2008 33,280 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0005.tmp"
Wed 20 Aug 2008 19,456 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0006.tmp"
Sun 10 Aug 2008 31,232 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0331.tmp"
Sun 10 Aug 2008 32,256 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0513.tmp"
Wed 13 Aug 2008 42,496 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0800.tmp"
Sun 10 Aug 2008 32,256 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL1937.tmp"
Mon 4 Aug 2008 22,528 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2081.tmp"
Wed 13 Aug 2008 22,528 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2388.tmp"
Wed 13 Aug 2008 19,968 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2405.tmp"
Sun 10 Aug 2008 32,768 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2562.tmp"
Wed 20 Aug 2008 26,624 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2625.tmp"
Sun 10 Aug 2008 32,768 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2845.tmp"
Thu 7 Aug 2008 23,552 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL3033.tmp"
Wed 13 Aug 2008 19,456 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL3499.tmp"
Sun 10 Aug 2008 29,184 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL3552.tmp"
Thu 7 Aug 2008 126,823 ..SHR --- "C:\WINDOWS\system32\spool\drivers\wmsncs.exe"
Thu 7 Aug 2008 126,823 ..SHR --- "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmsncs.exe"
Wed 13 Aug 2008 38,912 ...H. --- "C:\Documents and Settings\Soleil Robichaud\Application Data\Microsoft\Word\~WRL1821.tmp"
Wed 12 Nov 2003 65,024 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL0013.tmp"
Tue 11 Nov 2003 31,744 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL0928.tmp"
Tue 11 Nov 2003 54,784 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL1105.tmp"
Wed 12 Nov 2003 64,512 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL1110.tmp"
Wed 12 Nov 2003 68,096 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL1924.tmp"
Tue 11 Nov 2003 53,760 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2454.tmp"
Tue 11 Nov 2003 40,960 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2620.tmp"
Tue 11 Nov 2003 65,024 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2759.tmp"
Tue 11 Nov 2003 55,296 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2916.tmp"
Wed 12 Nov 2003 65,024 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2932.tmp"
Wed 12 Nov 2003 69,120 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2997.tmp"
Wed 12 Nov 2003 65,536 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL3387.tmp"
Tue 11 Nov 2003 29,184 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL3431.tmp"
Wed 12 Nov 2003 118,272 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL3564.tmp"
Finished!ComboFix log:
ComboFix 08-08-23.03 - Soleil Robichaud 2008-08-24 20:41:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.94 [GMT -4:00]
Running from: C:\Documents and Settings\Soleil Robichaud\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\FUYZS8F5\interclick.com
C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\FUYZS8F5\interclick.com\ud.sol
C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Trevor Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\R6B6SHBX\interclick.com
C:\Documents and Settings\Trevor Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\R6B6SHBX\interclick.com\ud.sol
C:\Documents and Settings\Trevor Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Trevor Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\help\svchost.exe
C:\WINDOWS\system32\mdm.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.
2008-08-24 19:54 . 2008-08-24 19:54 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-24 19:48 . 2008-08-24 20:05 <DIR> d-------- C:\SDFix
2008-08-24 18:02 . 2008-08-24 18:55 <DIR> d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\AdwareAlert
2008-08-24 12:30 . 2008-08-24 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-23 19:25 . 2008-08-23 19:25 <DIR> d-------- C:\Program Files\AdwareAlert
2008-08-23 19:01 . 2008-08-23 19:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 18:52 . 2008-08-23 19:28 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\AdwareAlert
2008-08-23 18:52 . 2008-08-24 16:14 <DIR> d-------- C:\Documents and Settings\Ron Robichaud\Application Data\AdwareAlert
2008-08-23 18:49 . 2008-08-23 18:52 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\AdwareAlert(2)
2008-08-23 18:32 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-23 18:32 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-23 18:32 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-23 18:32 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-23 18:20 . 2008-08-23 18:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 18:20 . 2008-08-23 18:20 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\Malwarebytes
2008-08-23 18:20 . 2008-08-23 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 18:19 . 2008-08-23 18:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-23 18:13 . 2008-08-23 18:59 <DIR> d-------- C:\Program Files\ERUNT
2008-08-22 13:32 . 2008-08-24 18:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-22 13:32 . 2008-08-22 13:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-14 22:37 . 2008-08-14 22:37 <DIR> d-------- C:\Program Files\EPSON
2008-08-14 22:37 . 2004-06-24 01:20 309,760 --a------ C:\WINDOWS\system32\EAL32.DLL
2008-08-14 22:37 . 2004-03-12 01:30 82,944 --a------ C:\WINDOWS\system32\EAL.EXE
2008-08-14 22:37 . 2004-11-25 05:07 79,679 --a------ C:\WINDOWS\system32\E_FLMABA.DLL
2008-08-14 22:37 . 2003-05-21 02:27 64,000 --a------ C:\WINDOWS\system32\E_FBCBABA.DLL
2008-08-14 22:37 . 2000-06-07 01:01 34,304 --a------ C:\WINDOWS\system32\E_FBCHABA.DLL
2008-08-14 22:37 . 2004-06-24 01:20 51 --a------ C:\WINDOWS\system32\EAL32.INI
2008-08-11 00:33 . 2008-08-11 00:33 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\acccore
2008-08-11 00:31 . 2008-08-11 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-08-11 00:30 . 2008-08-11 00:30 21 --a------ C:\WINDOWS\atid.ini
2008-08-11 00:29 . 2008-08-11 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-08-11 00:29 . 2008-08-11 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-08-11 00:29 . 2008-08-11 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-08-11 00:27 . 2008-08-11 00:33 <DIR> d-------- C:\Program Files\AIM6
2008-08-08 22:46 . 2008-08-08 22:46 53 --a------ C:\WINDOWS\system32\g.ftp
2008-08-07 17:31 . 2008-08-07 17:31 159,744 --a------ C:\WINDOWS\system32\Bsmtp.dll
2008-08-07 17:31 . 2008-08-07 17:31 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-08-07 15:46 . 2008-08-07 15:46 <DIR> d---s---- C:\Documents and Settings\Ron Robichaud\UserData
2008-08-01 23:09 . 2008-08-01 23:09 <DIR> d-------- C:\WINDOWS\A8B9466986544126BD28D0D2412CDED6.TMP
2008-08-01 13:01 . 2008-08-15 12:21 <DIR> d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\OnRez
2008-08-01 12:07 . 2008-08-01 12:07 <DIR> d---s---- C:\Documents and Settings\Trevor Robichaud\UserData
2008-07-31 22:03 . 2008-08-15 01:49 <DIR> d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\SecondLife
2008-07-31 21:53 . 2008-07-31 21:53 <DIR> d---s---- C:\Documents and Settings\Soleil Robichaud\UserData
2008-07-31 21:40 . 2008-07-31 21:40 2,838 --a------ C:\WINDOWS\machine.ver
2008-07-31 14:02 . 2008-07-31 14:02 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\MAGIX
2008-07-25 10:37 . 2006-05-23 17:41 626,688 --a------ C:\WINDOWS\system32\mgxoschk.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 22:47 79,270 ----a-w C:\Program Files\hptdvnkb.txt
2008-08-11 04:28 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-08 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-08-07 21:31 83,968 ----a-w C:\WINDOWS\Help\svchost32.exe
2008-08-07 21:31 409,600 ----a-w C:\WINDOWS\Help\ipconfig.sys
2008-08-07 21:31 409,600 ----a-w C:\WINDOWS\Help\internat.exe
2008-08-07 19:17 126,823 --sh--r C:\WINDOWS\Fonts\wmsncs.exe
2008-08-02 03:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 15:16 --------- d-----w C:\Program Files\MindSpring 4.0
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 11:21 50472]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-08-22 15:20 9093120]
"Network Connections"="C:\WINDOWS\help\internat.exe" [2008-08-07 17:31 409600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\
00THotkey.exe" [2003-04-15 23:01 258048]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 03:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 03:07 114688]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 22:54 40960]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 20:16 172032]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 17:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 23:26 458752]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 16:21 159744]
"AccessRampMonitor"="C:\Program Files\AccessRamp\ARMon32.exe" [1999-08-03 13:13 68096]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2006-08-20 22:28 28672]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 02:12 49152]
"Wmsncs Service"="C:\WINDOWS\Fonts\wmsncs.exe" [2008-08-07 15:17 126823]
"NvidMediaCenter"="C:\Program Files\Common Files\System\wmsncs.exe" [2008-08-07 15:17 126823]
"Spool Driver Service"="C:\WINDOWS\System32\spool\drivers\wmsncs.exe" [2008-08-07 15:17 126823]
"Wins Service"="C:\WINDOWS\System32\wins\wmsncs.exe" [2008-08-07 15:17 126823]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 04:00 98304]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\
000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Wmsncs Service"="C:\WINDOWS\Fonts\wmsncs.exe" [2008-08-07 15:17 126823]
"NvidMediaCenter"="C:\Program Files\Common Files\System\wmsncs.exe" [2008-08-07 15:17 126823]
"Spool Driver Service"="C:\WINDOWS\System32\spool\drivers\wmsncs.exe" [2008-08-07 15:17 126823]
"Wins Service"="C:\WINDOWS\System32\wins\wmsncs.exe" [2008-08-07 15:17 126823]
"Network Connections"="C:\WINDOWS\help\internat.exe" [2008-08-07 17:31 409600]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 18:23:00 65588]
wmsncs.exe [2008-08-07 15:17:21 126823]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe \"C:\\WINDOWS\\Fonts\\wmsncs.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
R2 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;C:\WINDOWS\Fonts\wmsncs.exe [2008-08-07 15:17]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\System32\DRIVERS\cben5.sys [2001-08-17 08:13]
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\System32\DRIVERS\wlags48b.sys [2002-06-28 19:29]
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SHAREDACCESS
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]
C:\WINDOWS\Fonts\wmsncs.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Background Intelligent Transfer Service - C:\WINDOWS\help\svchost.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-24 20:45:33
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
C:\WINDOWS\Fonts\wmsncs.exe [1704] 0xFF9DA4C0
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-24 20:48:55
ComboFix-quarantined-files.txt 2008-08-25 00:48:48
Pre-Run: 1,221,816,320 bytes free
Post-Run: 2,029,334,528 bytes free
179
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:00 PM, on 8/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O5 "LPT1:" /M "Stylus C88"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [Network Connections] C:\WINDOWS\help\internat.exe
O4 - HKUS\S-1-5-18\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Network Connections] C:\WINDOWS\help\internat.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: wmsncs.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6773 bytes
This topic is locked
Sign In
Create Account
