Thread: Need help with Virus.
View Single Post
Old 10-12-2007, 11:21 AM   #12 (permalink)
MikeMW
Registered User
 
Join Date: Oct 2007
Posts: 33
OS: XP Pro with SP2


Re: Need help with Virus.
Here is the ComboFix Report;

ComboFix 07-10-10.1 - Lauren Whitby 2007-10-12 11:33:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.569 [GMT -5:00]
Running from: C:\Documents and Settings\Lauren Whitby\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lauren Whitby\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\prx.exe
C:\WINDOWS\prx.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\prx.exe
C:\WINDOWS\prx.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_UT6KUM8U6U2RDH
-------\ut6kum8u6u2rdh


((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.

2007-10-10 15:49 <DIR> d-------- C:\Deckard
2007-10-10 12:01 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-10 11:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 16:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-09 10:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-09 10:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-09 10:42 <DIR> d-------- C:\Program Files\Common Files\L&H

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 16:50 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-10-12 16:39 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-10-12 16:39 102,788 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-10-06 19:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-06 19:07 --------- d-----w C:\Program Files\Sony
2007-10-05 22:42 --------- d-----w C:\Program Files\pspvideo9
2007-10-05 22:41 --------- d--h--w C:\Program Files\Zero G Registry
2007-09-18 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-08-20 20:37 --------- d-----w C:\Program Files\AIM Toolbar
2007-08-13 16:42 --------- d-----w C:\Program Files\MySpace
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT
2007-05-28 17:48:38 83,968 --sh--r C:\WINDOWS\Web\aolspy.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [2002-04-10 03:00]
"RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [2003-10-21 12:20]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50]
"nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\qttask.exe" [2006-12-23 18:41]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-06-12 12:32]
"medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 11:53]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-18 17:25]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-09-18 17:25]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-09-18 17:25]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-09-18 17:25]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-09-18 17:25]
"CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [2007-09-18 17:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-01 10:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 08:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-07-08 09:53 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys
R2 AOL_SpywareServ;AOL Anti-Spyware Service;"C:\WINDOWS\web\aolspy.exe"
R2 DPPSUSB;DPPSUSB.Sys Sony DPP-SV55/77/88 USB Digital Photo Printer Driver;C:\WINDOWS\system32\Drivers\DPPSUSB.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe"
R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys
S2 MZTFUXIY;MZTFUXIY;\??\C:\WINDOWS\System32\mztfuxiy.gew

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53dbe4a9-2cda-11db-ab4d-00e018b959ee}]
AutoRun\command - I:\JDSecure\Windows\JDSecure30.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 19:26:44 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Lauren Whitby at 2 25 PM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe
"2007-10-09 03:29:25 C:\WINDOWS\Tasks\Scheduled Checkpoint.job"
- C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-12 11:50:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-12 1206 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-10 13:28
.
--- E O F ---
Attached Files
File Type: txt main.txt (16.6 KB, 1 views)
MikeMW is offline