Hi Indigenus,
Thanks a lot for hleping me run Combo-fix.
Here is the extraxt of the combofix log file:
ComboFix 09-01-19.01 - 501407560 2009-01-19 13:47:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1301 [GMT -5:00]
Running from: d:\documents and settings\501407560\Desktop\Combo-Fix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Sophos Client Firewall *enabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\afipekab.ini
c:\windows\system32\alamilew.ini
c:\windows\system32\alirojak.ini
c:\windows\system32\anonoyip.ini
c:\windows\system32\arheux.dll
c:\windows\system32\atoresez.ini
c:\windows\system32\atudikiy.ini
c:\windows\system32\atugijaf.ini
c:\windows\system32\ayamogop.ini
c:\windows\system32\ayehabin.ini
c:\windows\system32\bakepifa.dll
c:\windows\system32\birizofu.dll
c:\windows\system32\biyebafi.dll
c:\windows\system32\dubozome.dll
c:\windows\system32\durifesu.dll
c:\windows\system32\ebinoyam.ini
c:\windows\system32\ehudiked.ini
c:\windows\system32\ejadogap.ini
c:\windows\system32\ekibotof.ini
c:\windows\system32\ekujezof.ini
c:\windows\system32\eohxtc.dll
c:\windows\system32\erokuyak.ini
c:\windows\system32\esegowig.ini
c:\windows\system32\fusigoka.dll
c:\windows\system32\fxwame.dll
c:\windows\system32\gaditino.dll
c:\windows\system32\gibapuru.dll
c:\windows\system32\hagijifa.dll
c:\windows\system32\hefedapa.dll
c:\windows\system32\hohokaza.dll
c:\windows\system32\iheberod.ini
c:\windows\system32\ivadozat.ini
c:\windows\system32\iwesolog.ini
c:\windows\system32\jufevedu.dll
c:\windows\system32\khzlhh.dll
c:\windows\system32\kiyejebe.dll
c:\windows\system32\lozsmf.dll
c:\windows\system32\lutirada.dll
c:\windows\system32\nibaheya.dll
c:\windows\system32\nigavimi.dll
c:\windows\system32\nugogaza.dll
c:\windows\system32\nunajimo.dll
c:\windows\system32\nupotuku.dll
c:\windows\system32\ofabopap.ini
c:\windows\system32\oguwator.ini
c:\windows\system32\ohorugaw.ini
c:\windows\system32\omovuvij.ini
c:\windows\system32\onenodeg.ini
c:\windows\system32\onuyaveg.ini
c:\windows\system32\ovememag.ini
c:\windows\system32\owuhujey.ini
c:\windows\system32\oziyinan.ini
c:\windows\system32\peluloge.dll
c:\windows\system32\pihimage.dll
c:\windows\system32\pnswty.dll
c:\windows\system32\pozofohu.dll
c:\windows\system32\puseveni.dll
c:\windows\system32\ravababo.dll
c:\windows\system32\rocvwt.dll
c:\windows\system32\ruhegozi.dll
c:\windows\system32\tudoside.dll
c:\windows\system32\udevefuj.ini
c:\windows\system32\ufafehet.ini
c:\windows\system32\ugekiven.ini
c:\windows\system32\unekobaf.ini
c:\windows\system32\unuwovub.ini
c:\windows\system32\unuzohal.ini
c:\windows\system32\uvuwogod.ini
c:\windows\system32\uwuyetis.ini
c:\windows\system32\vulamini.dll
c:\windows\system32\waguroho.dll
c:\windows\system32\yikiduta.dll
c:\windows\system32\yilejino.dll
c:\windows\system32\yivoboki.dll
c:\windows\system32\zamivoru.dll
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://77.74.48.105
hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.
2009-01-19 13:40 . 2009-01-19 13:40 <DIR> d--h----- c:\windows\PIF
2009-01-19 09:45 . 2009-01-19 13:41 <DIR> d-------- C:\ComboFix
2009-01-19 09:45 . 2009-01-19 13:41 <DIR> d-------- C:\32788R22FWJFW
2009-01-18 11:13 . 2009-01-18 11:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-17 15:54 . 2009-01-17 15:54 46,592 --a------ C:\win32.exe
2009-01-16 16:00 . 2009-01-16 16:00 2,098 ---hs---- c:\windows\system32\yiriyidi.exe
2009-01-16 10:14 . 2009-01-16 10:14 26,155 --a------ c:\windows\system32\drivers\LKD8.tmp
2009-01-15 10:07 . 2009-01-15 10:07 <DIR> d-------- c:\windows\PacTrack
2009-01-15 10:06 . 2009-01-15 10:06 <DIR> d-------- c:\program files\Common Files\Sophos
2009-01-15 10:06 . 2009-01-15 10:02 100,096 --a------ c:\windows\system32\drivers\scfdriver.sys
2009-01-15 10:04 . 2009-01-15 10:04 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2009-01-15 10:04 . 2009-01-15 10:02 17,920 --a------ c:\windows\system32\sophosboottasks.exe
2009-01-15 10:03 . 2009-01-15 10:06 <DIR> d-------- d:\documents and settings\All Users\Application Data\Sophos
2009-01-15 10:02 . 2009-01-15 10:02 101,120 --a------ c:\windows\system32\drivers\savonaccesscontrol.sys
2009-01-15 10:02 . 2009-01-15 10:02 33,408 --a------ c:\windows\system32\drivers\savonaccessfilter.sys
2009-01-15 10:00 . 2009-01-15 10:07 <DIR> d-------- c:\program files\Sophos
2009-01-15 09:58 . 2009-01-15 09:58 26,155 --a------ c:\windows\system32\drivers\LKD46.tmp
2009-01-15 09:53 . 2009-01-15 09:58 391,891 --a------ C:\avremove.csv
2009-01-15 09:46 . 2009-01-15 09:46 <DIR> d-------- c:\temp\Sophos
2009-01-15 09:46 . 2009-01-15 10:07 <DIR> d-------- C:\Logs
2009-01-14 11:44 . 2009-01-14 11:44 26,155 --a------ c:\windows\system32\drivers\LKD18.tmp
2009-01-13 13:04 . 2009-01-13 13:04 364 --a------ C:\Shortcut to GE Work.lnk
2009-01-13 10:53 . 2009-01-13 10:53 26,155 --a------ c:\windows\system32\drivers\LKD3F.tmp
2009-01-12 19:56 . 2009-01-12 19:56 2,098 ---hs---- c:\windows\system32\ridihaka.exe
2009-01-08 13:52 . 2009-01-08 13:52 26,155 --a------ c:\windows\system32\drivers\LKD14.tmp
2009-01-07 13:13 . 2009-01-07 13:13 26,155 --a------ c:\windows\system32\drivers\LKD16.tmp
2009-01-06 16:10 . 2009-01-06 16:10 26,155 --a------ c:\windows\system32\drivers\LKD5F.tmp
2009-01-05 15:01 . 2009-01-05 15:01 26,155 --a------ c:\windows\system32\drivers\LKD15.tmp
2008-12-29 11:57 . 2008-12-29 11:57 26,155 --a------ c:\windows\system32\drivers\LKD3E.tmp
2008-12-22 10:53 . 2009-01-15 17:01 <DIR> d-------- C:\GE Work
2008-12-22 07:37 . 2008-12-22 07:37 262,144 --a------ C:\ntuser.dat
2008-12-22 06:33 . 2008-12-22 06:33 <DIR> d---s---- d:\documents and settings\LocalService\UserData
2008-12-19 08:31 . 2008-12-19 08:31 26,155 --a------ c:\windows\system32\drivers\LKD3D.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 14:30 --------- d-----w d:\documents and settings\501407560\Application Data\Sametime
2009-01-17 20:33 --------- d-----w d:\documents and settings\501407560\Application Data\Move Networks
2009-01-16 00:43 --------- d-----w c:\program files\SafeBoot
2009-01-15 21:50 30,267 ----a-w c:\windows\system32\drivers\safeboot.sys
2009-01-15 15:50 --------- d-----w c:\program files\Common Files\Real
2009-01-15 15:48 --------- d-----w c:\program files\Google
2009-01-15 15:34 --------- d-----w d:\documents and settings\All Users\Application Data\Symantec
2009-01-15 15:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-10 14:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-02 15:59 --------- d-----w c:\program files\Nortel Networks
2008-12-22 09:15 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2008-12-16 17:38 26,155 ----a-w c:\windows\system32\drivers\LKD153.tmp
2008-12-15 16:51 26,155 ----a-w c:\windows\system32\drivers\LKD43.tmp
2008-12-12 18:30 26,155 ----a-w c:\windows\system32\drivers\LKD165.tmp
2008-12-10 21:28 26,155 ----a-w c:\windows\system32\drivers\LKDF.tmp
2008-12-09 16:43 26,155 ----a-w c:\windows\system32\drivers\LKD14B.tmp
2008-12-08 16:39 26,155 ----a-w c:\windows\system32\drivers\LKD47.tmp
2008-12-05 21:01 26,155 ----a-w c:\windows\system32\drivers\LKDD.tmp
2008-12-04 18:49 26,155 ----a-w c:\windows\system32\drivers\LKD13.tmp
2008-12-04 15:25 26,155 ----a-w c:\windows\system32\drivers\LKD69.tmp
2008-12-03 16:29 26,155 ----a-w c:\windows\system32\drivers\LKDC.tmp
2008-12-01 17:33 26,155 ----a-w c:\windows\system32\drivers\LKD17.tmp
2008-11-24 16:20 26,155 ----a-w c:\windows\system32\drivers\LKD67.tmp
2008-11-20 19:09 26,155 ----a-w c:\windows\system32\drivers\LKD14C.tmp
2008-11-19 19:35 --------- d-----w d:\documents and settings\501407560\Application Data\ICAClient
1601-01-01 00:12 95,232 --sha-w c:\windows\system32\vinomisu.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-03 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2007-06-20 1028160]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_15\bin\jusched.exe" [2008-02-09 75256]
"Sxplog"="c:\sxpinst\sxpstub.exe" [2005-10-24 20480]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SBMGRNT.EXE"="c:\progra~1\SafeBoot\SBMGRNT.EXE" [2008-04-28 49212]
"CA-AMAgent"="c:\program files\CA\Unicenter Asset Management\Agents\amagent.exe" [2003-03-07 45056]
"ENDFORCEAgent"="c:\program files\ENDFORCE\AgntTray.exe" [2007-12-21 1646592]
"SCFTrayStartUp"="c:\program files\Sophos\Sophos Client Firewall\SCFTray.exe" [2009-01-15 224312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 c:\windows\system32\bthprops.cpl]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe]
"SDJobCheck"="triggusr.exe" [2006-02-22 Delivery\BIN\triggusr.exe]
d:\documents and settings\Default User\Start Menu\Programs\Startup\
Sametime 7.5.lnk - c:\program files\IBM\Sametime Connect\sametime.exe [2006-10-18 360448]
d:\documents and settings\501407560\Start Menu\Programs\Startup\
Sametime 7.5.lnk - c:\program files\IBM\Sametime Connect\sametime.exe [2006-10-18 360448]
d:\documents and settings\501056442\Start Menu\Programs\Startup\
Sametime 7.5.lnk - c:\program files\IBM\Sametime Connect\sametime.exe [2006-10-18 360448]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-10-26 245760]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-04-28 08:21 122949 c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\
0\
0]
"Script"=firefox_shutdown.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\
0\
0]
"Script"=Disable_Hibernation_for_Safeboot.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\
0]
"Script"=firefox_startup.vbs
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\IBM\\Sametime Connect\\sametime.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5556:TCP"= 5556:TCP:SafeBoot
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\safeboot.sys [2008-04-28 30267]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\sbalg.sys [2008-04-28 44848]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-04-28 4752]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-01-15 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-01-15 33408]
R1 SBFlop;SBFlop;c:\windows\system32\drivers\sbflop.sys [2008-04-28 6096]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\sbprcctl.sys [2008-04-28 14864]
R1 scfdriver;SCF Kernel Driver;c:\windows\system32\drivers\scfdriver.sys [2009-01-15 100096]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-10-15 9433]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [2007-06-14 398720]
R4 ENDFORCE Agent API;ENDFORCE Agent API;c:\program files\ENDFORCE\AgentAPI.exe [2007-12-19 2945024]
R4 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2007-06-14 87664]
R4 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2006-10-17 69632]
R4 SafeBootConfigurationManager;SafeBoot Configuration Manager;c:\program files\SafeBoot\sbmgrnt.exe [2008-04-28 49212]
R4 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2009-01-15 69632]
R4 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2009-01-15 98304]
R4 SDService;Unicenter Software Delivery;c:\program files\CA\Unicenter Software Delivery\BIN\SDServ.exe [2006-02-22 32768]
R4 Sophos Client Firewall Manager;Sophos Client Firewall Manager;c:\program files\Sophos\Sophos Client Firewall\SCFManager.exe [2009-01-15 109624]
R4 Sophos Client Firewall;Sophos Client Firewall;c:\program files\Sophos\Sophos Client Firewall\SCFService.exe [2009-01-15 93240]
S0 iastor3400;Intel AHCI Controller;c:\windows\system32\drivers\iaStor3400.sys [2008-02-20 308248]
S0 iaStor390;Intel AHCI Controller;c:\windows\system32\drivers\iaStor390.sys [2007-12-13 304920]
S0 iastor755;Intel AHCI Controller;c:\windows\system32\drivers\IaStor755.sys [2007-10-18 305176]
S0 symmpi7400;symmpi7400;c:\windows\system32\drivers\symmpi7400.sys [2008-02-20 100096]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Common Files\Juniper Networks\TNC Client\jTnccService.exe [2007-06-20 81992]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [2007-10-15 630784]
S4 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-10-15 115680]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - AMOAGENT
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9570a551-4bdf-11dc-86d1-806d6172696f}]
\Shell\AutoRun\command - F:\setup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\INF\wmactedp.inf,PerUserStub,,4
.
Contents of the 'Scheduled Tasks' folder
2009-01-19 c:\windows\Tasks\workstations.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-15 10:02]
.
- - - - ORPHANS REMOVED - - - -
BHO-{3487901a-eb23-4ef8-bc0d-c6a3c81c4573} - c:\windows\system32\lozsmf.dll
BHO-{7a332452-6f67-40f4-b745-f83eada00408} - c:\windows\system32\peluloge.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://corp.home.ge.com/
uInternet Connection Wizard,ShellNext =
https://discoverer.f...feelname=oracleuInternet Settings,ProxyOverride = <local>
Trusted Zone: *.webex.com
Trusted Zone: *.webex.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Sametime MRC 651FP1 - hxxp://americascomm01.ge.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - hxxp://americascomm01.ge.com/sametime/STMeetingRoomClient/STJNILoader.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-19 14:10:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(196)
c:\program files\SafeBoot\SBGINA.DLL
c:\program files\SafeBoot\SBIPC.DLL
c:\windows\system32\odyEvent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Juniper Networks\Odyssey Access Client\odClientService.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\CA\SharedComponents\CAM\bin\cam.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\CA\Unicenter Software Delivery\BIN\TRIGGAG.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\sxpinst\sxplog32.exe
c:\windows\UMCSTUB.EXE
c:\program files\IBM\Sametime Connect\jre\bin\sametime75.exe
.
**************************************************************************
.
Completion time: 2009-01-19 14:15:08 - machine was rebooted [501407560]
ComboFix-quarantined-files.txt 2009-01-19 19:15:05
Pre-Run: 21,708,570,624 bytes free
Post-Run: 21,648,674,816 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
323 --- E O F --- 2008-10-30 18:24:53
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Please Find the latest Hijackthis log file below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:20, on 2009-01-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\ENDFORCE\AgentAPI.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.5.0_15\bin\jusched.exe
C:\SxpInst\sxplog32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ENDFORCE\AgntTray.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\UMCSTUB.EXE
C:\Program Files\IBM\Sametime Connect\sametime.exe
C:\Program Files\IBM\Sametime Connect\jre\bin\sametime75.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.5.0_15\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Juniper Networks\Odyssey Access Client\odtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://corp.home.ge.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
https://discoverer.f...feelname=oracleR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =
http://corp.setpac.ge.com/pac.pacO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\system32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_15\bin\jusched.exe"
O4 - HKLM\..\Run: [Sxplog] C:\SxpInst\sxpstub.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [ENDFORCEAgent] "C:\Program Files\ENDFORCE\AgntTray.exe"
O4 - HKLM\..\Run: [SCFTrayStartUp] C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Sametime 7.5.lnk = C:\Program Files\IBM\Sametime Connect\sametime.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Sametime 7.5.lnk = C:\Program Files\IBM\Sametime Connect\sametime.exe (User 'Default user')
O4 - Startup: Sametime 7.5.lnk = C:\Program Files\IBM\Sametime Connect\sametime.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Sametime MRC 651FP1 -
http://americascomm0...gRoomClient.cabO16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -
http://dl.tvunetworks.com/TVUAx.cabO16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) -
http://americascomm0...STJNILoader.cabO16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) -
http://www.ooxtv.com/livetv.ocxO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = treasury.corp.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = treasury.corp.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = treasury.corp.ge.com
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - C:\Program Files\ENDFORCE\AgentAPI.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Client Firewall - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
O23 - Service: Sophos Client Firewall Manager - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 9432 bytes
********************************************************************************
*********************************************************************************
*********************************************************************************
*********************************************************************************
*******************************************************
Please let me know if the Troj/Virtum-Gen virus is completely removed and also other Malwares.
Thanks a lot for ur help. Appreciate it...