Thread: rootkit.dayoff.process
View Single Post
Old 08-11-2007, 08:09 AM   #3 (permalink)
nheid
Registered User
 
Join Date: Aug 2007
Posts: 5
OS: XP


Re: rootkit.dayoff.process
Thank you. Here is the ComboFix log.
----------------------------------------------------------------------
ComboFix 07-08-11 - "Norm" 2007-08-11 6:52:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.216 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\hosts
C:\WINDOWS\install.exe
C:\WINDOWS\rundll32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINDEV-353C-1874
-------\nm
-------\windev-353c-1874


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-11 06:51 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 06:55 <DIR> d-------- C:\Program Files\CoffeeCup Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 12:31 --------- d-------- C:\Program Files\LabelCreator Pro
2007-07-03 19:13 --------- d-------- C:\DOCUME~1\Norm\APPLIC~1\AdobeUM
2007-06-28 22:43 --------- d-------- C:\Program Files\Common Files\Macromedia Shared
2007-06-28 22:42 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-24 18:07 --------- d-------- C:\Program Files\Common Files\Download Manager
2007-06-23 05:34 --------- d-------- C:\Program Files\BlueJ
2007-06-13 03:26 --------- d-------- C:\Program Files\Chami
2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-02-17 15:05 373909 --a------ C:\WINDOWS\inf\DRVDATA.BIN
2006-02-17 15:05 1276768 --a------ C:\WINDOWS\inf\DRVIDX.BIN
2003-12-29 22:23 462 --a------ C:\Program Files\INSTALL.LOG
2003-05-30 23:14 266 --ah----- C:\Program Files\desktop.ini
2003-05-30 23:14 11079 --ah----- C:\Program Files\folder.htt
2002-07-26 18:02 153088 --a------ C:\Program Files\UNWISE.EXE
2001-01-11 14:20 61888 --a------ C:\WINDOWS\inf\WIN2000\KTC111.SYS
2007-01-24 04:33:36 56 --sh--r C:\WINDOWS\system32\D2A98DFF4C.sys
2007-01-24 04:33:42 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 19:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 19:50]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-24 14:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-24 14:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-24 14:35]
"Amazing Wallpaper Manager"="C:\WINDOWS\All Space Wallpaper Manager.exe" [1998-09-16 13:15]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-17 20:19]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 17:06]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 16:42]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 16:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-02-17 11:56:50]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-24 14:22:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoClose"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 atirage3;atirage3;C:\WINDOWS\system32\DRIVERS\atimpae.sys
R3 DCamUSBEMPIA;Dazzle DVC Video Device;C:\WINDOWS\system32\DRIVERS\emDevice.sys
R3 emAudio;Dazzle DVC Audio Device;C:\WINDOWS\system32\drivers\emAudio.sys
R3 FiltUSBEMPIA;USB Device Lower Filter;C:\WINDOWS\system32\DRIVERS\emFilter.sys
R3 ScanUSBEMPIA;USB Still Image Capture Device;C:\WINDOWS\system32\DRIVERS\emScan.sys
S3 As6frin;As6frin;C:\WINDOWS\system32\drivers\http.sys
S3 Imapi Helper;Imapi Helper;"C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>PerUser_MSN_Clean]
C:\WINDOWS\msnmgsr1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AppletsPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\FontsPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptJunglePerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptMusicaPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptRegisterPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptRobotzPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptUtopiaPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MotownAvivideoPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MotownMmsysPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MotownMPlayPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MotownRecPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\NetservrPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OlsAolPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OlsAttPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OlsCompuservePerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OlsMsnPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OlsPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OlsProdigyPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUserOldLinks]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Base]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Calc_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_CDPlayer_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_CharMap_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_ClipBrd_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_CVT_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_DCC_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Dialer_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_dxxspace_Links]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_ICW_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_LinkBar_URLs]
C:\WINDOWS\COMMAND\sulfnbk.exe /L

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_MSBackup_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 C:\WINDOWS\INF\applets1.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Msinfo]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Msinfo2]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_MSWordPad_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_netwatch_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Paint_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_RNA_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Sysmeter_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\WINDOWS\INF\appletpp.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Sysmon_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Vol]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_winapps_Links]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_winbase_Links]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PerUser_Winpopup_Inis]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection PerUser_Winpopup_Inis_remove 64 C:\WINDOWS\INF\winpopup.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\SetupcPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Shell2PerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ShellPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\TapiPerUser]
rundll.exe C:\WINDOWS\system32\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4395}]
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\system32\ie4uinit.inf,Shell.UserStub,,36

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\system32\updcrl.exe -e -u C:\WINDOWS\system32\verisignpub1.crl

Contents of the 'Scheduled Tasks' folder
2007-07-29 06:00:27 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job
2007-08-04 07:30:00 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job
2007-08-07 05:10:51 C:\WINDOWS\Tasks\Maintenance-ScanDisk.job - C:\WINDOWS\SCANDSKW.EXE
2007-08-09 06:36:50 C:\WINDOWS\Tasks\shutDown.job - C:\batchFiles\shutDown.bat
2007-08-04 08:00:08 C:\WINDOWS\Tasks\shutDownWE.job - C:\batchFiles\shutDown.bat
2007-08-09 05:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SpybotSD.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 07:00:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 7:01:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 07:01

--- E O F ---




Next, the ComboFix Quarantine file
-----------------------------------------------------------------------

Code:
1999-04-23 23:22      24576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\RUNDLL32.EXE.vir
2005-07-27 14:32      1946855    --a------    C:\Qoobox\Quarantine\C\WINDOWS\INSTALL.EXE.vir
2006-01-09 04:34      395262    --a------    C:\Qoobox\Quarantine\C\WINDOWS\HOSTS.vir
2007-08-11 06:58      1124    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDEV-353C-1874.reg.cf
2007-08-11 06:58      2750    --a------    C:\Qoobox\Quarantine\Registry_backups\services_windev-353c-1874.reg.cf
2007-08-11 06:58      352    --a------    C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf


Folder PATH listing
Volume serial number is 2834-BF14
C:\QOOBOX
\---Quarantine
    +---C
    |   \---WINDOWS
    |           HOSTS.vir
    |           INSTALL.EXE.vir
    |           RUNDLL32.EXE.vir
    |           
    \---Registry_backups
            LEGACY_WINDEV-353C-1874.reg.cf
            services_nm.reg.cf
            services_windev-353c-1874.reg.cf




Finally, the HiJackThis log
------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:05:07 AM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\All Space Wallpaper Manager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\downloads\HIJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cuea.org/index2.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.cuea.org/"); (C:\PROGRAM FILES\NETSCAPE\Users\nheid\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Amazing Wallpaper Manager] C:\WINDOWS\All Space Wallpaper Manager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe



Thanks in advance
nheid is offline