ComboFix 08-10-25.01 - sahim 2008-10-26 13:50:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.534 [GMT -4:00]
Running from: C:\Documents and Settings\sahim\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\aeb backup\shared\TEST REPORTS\Zhen\Zhen 95\test report\_desktop.ini
C:\WINDOWS\system32\acjefjxc.ini
C:\WINDOWS\system32\axkvnjwy.dll
C:\WINDOWS\system32\biypuwos.dll
C:\WINDOWS\system32\cxjfejca.dll
C:\WINDOWS\system32\dbiocbjs.ini
C:\WINDOWS\system32\effuexny.ini
C:\WINDOWS\system32\envpyu.dll
C:\WINDOWS\system32\eqkygacu.exe
C:\WINDOWS\system32\fjpaedha.dll
C:\WINDOWS\system32\grjocb.dll
C:\WINDOWS\system32\hqybwxud.dll
C:\WINDOWS\system32\ifxxughj.dll
C:\WINDOWS\system32\jkcdxv.dll
C:\WINDOWS\system32\khfFXoMD.dll
C:\WINDOWS\system32\kswtydly.exe
C:\WINDOWS\system32\KTDNWyxx.ini
C:\WINDOWS\system32\KTDNWyxx.ini2
C:\WINDOWS\system32\locyjcjp.exe
C:\WINDOWS\system32\ntfuijls.ini
C:\WINDOWS\system32\pfwjno.dll
C:\WINDOWS\system32\qglvkbvp.dll
C:\WINDOWS\system32\sjbcoibd.dll
C:\WINDOWS\system32\sljiuftn.dll
C:\WINDOWS\system32\ssqOEXQI.dll
C:\WINDOWS\system32\tuvSjJyX.dll
C:\WINDOWS\system32\vasbcg.dll
C:\WINDOWS\system32\wfedlkol.exe
C:\WINDOWS\system32\XyJjSvut.ini
C:\WINDOWS\system32\XyJjSvut.ini2
C:\WINDOWS\system32\yayyYrsP.dll
C:\WINDOWS\system32\ywjnvkxa.ini
.
((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.
2008-10-26 11:04 . 2008-10-26 11:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-26 11:04 . 2008-10-26 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-25 19:23 . 2008-10-25 19:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-25 19:23 . 2008-10-25 19:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-23 20:08 . 2008-10-23 22:32 <DIR> d-------- C:\Documents and Settings\sahim\Application Data\LimeWire
2008-10-23 20:07 . 2008-10-23 20:07 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-23 20:07 . 2008-10-23 20:07 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-14 21:54 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-14 21:53 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-14 21:53 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-14 21:53 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-14 21:53 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-14 21:53 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-13 20:16 . 2008-10-13 20:16 <DIR> d-------- C:\Program Files\TweetDeck
2008-10-13 20:16 . 2008-10-13 20:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-13 20:16 . 2008-10-13 20:16 <DIR> d-------- C:\Documents and Settings\sahim\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2008-10-13 01:26 . 2008-10-13 01:26 <DIR> d-------- C:\Program Files\PowerISO
2008-10-13 01:23 . 2008-10-13 01:23 <DIR> d-------- C:\Program Files\7-Zip
2008-10-13 01:18 . 2008-10-13 01:18 <DIR> d-------- C:\Documents and Settings\sahim\Application Data\.clamwin
2008-10-13 01:17 . 2008-10-13 01:17 <DIR> d-------- C:\Program Files\ClamWin
2008-10-13 01:17 . 2008-10-13 01:17 <DIR> d-------- C:\Documents and Settings\sahim\.clamwin
2008-10-08 23:40 . 2008-10-09 00:02 <DIR> d-------- C:\Program Files\ExcelRecovery
2008-10-08 23:40 . 2008-10-08 23:40 45,056 --a------ C:\WINDOWS\system32\pwssup.dll
2008-10-08 22:45 . 2008-10-08 22:45 <DIR> d-------- C:\Documents and Settings\sahim\Application Data\Scalabium
2008-10-04 14:56 . 2008-10-04 14:56 <DIR> d-------- C:\Program Files\The Refresher
2008-10-03 19:50 . 2008-10-03 20:21 221 --a------ C:\WINDOWS\ao97pr.ini
2008-10-03 19:49 . 2008-10-03 20:02 <DIR> d-------- C:\Program Files\ae2000pr
2008-10-03 19:49 . 2008-10-03 20:21 1,040 --a------ C:\WINDOWS\ae2000pr.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-25 21:05 --------- d-----w C:\Documents and Settings\sahim\Application Data\uTorrent
2008-10-24 00:07 --------- d-----w C:\Program Files\Java
2008-10-23 23:53 --------- d-----w C:\Program Files\eMule
2008-10-21 04:04 --------- d-----w C:\Program Files\TVUPlayer
2008-10-07 00:41 --------- d-----w C:\Documents and Settings\sahim\Application Data\Apple Computer
2008-09-21 19:27 --------- d-----w C:\Program Files\Audacity
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Google Update"="C:\Documents and Settings\sahim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-09-05 86016]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-13 185896]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-23 136600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=grjocb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-01-15 17:14 147456 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--------- 2007-02-12 20:12 253000 C:\Program Files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-17 02:50 32881 C:\Program Files\Java\j2re1.4.2_16\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-13 01:14 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-08-24 17:24 88203 C:\WINDOWS\AGRSMMSG.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-23 152984]
S1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [ ]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 361728]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 39680]
.
Contents of the 'Scheduled Tasks' folder
2008-10-26 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\sahim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 23:55]
.
- - - - ORPHANS REMOVED - - - -
BHO-{BB957648-612F-4BF3-AFE7-4E6901970E34} - C:\WINDOWS\system32\tuvSjJyX.dll
BHO-{D47D4D0C-264A-4504-B3F4-2FC94E4F1A0D} - C:\WINDOWS\system32\xxyWNDTK.dll
BHO-{FBFD382A-AC6E-4EB7-8944-F97D358B378D} - C:\WINDOWS\system32\yayyYrsP.dll
HKLM-Run-Ac97Sound - C:\WINDOWS\system32\snddrv.exe
HKLM-Run-microsystem - C:\WINDOWS\system32\snddrv.exe
ShellExecuteHooks-{FBFD382A-AC6E-4EB7-8944-F97D358B378D} - C:\WINDOWS\system32\yayyYrsP.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\sahim\Application Data\Mozilla\Firefox\Profiles\aur0foba.default\
FF -: plugin - C:\Documents and Settings\sahim\Application Data\Mozilla\Firefox\Profiles\aur0foba.default\extensions\[email protected]\plugins\npTVUAx.dll
FF -: plugin - C:\Documents and Settings\sahim\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 13:58:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="c:/xampp/mysql/bin/mysqld-nt.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="c:/xampp/mysql/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-10-26 14:03:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-26 18:03:21
Pre-Run: 96,744,407,040 bytes free
Post-Run: 96,804,499,456 bytes free
194 --- E O F --- 2008-10-15 02:04:57
What would be the next step?
Thanks for your help.
Sign In
Create Account
