Tech Support Forum - View Single Post

skattyb · 01-02-2008, 08:33 PM

Ok, I went through the process and have copied the report and log onto this entry. The only problem I had was that I went to www.hijackthis.com but couldn't find a 'Do a System Scan and save a Logfile' to click on (the last step)...Let me know if there is something I am doing wrong or something else I need to do. Everything appears to be working fine, but like I said, I couldn't figure out the last step. Thanks for the help and below are the report and the log.

SDFix: Version 1.122

Run by Scott M. Bantel on Thu 01/03/2008 at 04:57 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 17:04:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Tue 21 Aug 2007 56 ..SHR --- "C:\WINDOWS\system32\3A178CC52C.sys"
Tue 21 Aug 2007 3,766 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 14 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 30 Nov 2004 25,600 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL1267.tmp"
Tue 30 Nov 2004 26,624 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL2065.tmp"
Tue 30 Nov 2004 24,576 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL2177.tmp"
Tue 30 Nov 2004 25,088 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL2582.tmp"
Tue 30 Nov 2004 25,600 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL3747.tmp"
Tue 10 Jul 2007 28,672 ...H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Family\~WRL1106.tmp"
Wed 14 Sep 2005 20,480 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Financials\~WRL0001.tmp"
Fri 3 Feb 2006 62,976 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL0001.tmp"
Fri 3 Feb 2006 62,976 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL0005.tmp"
Fri 3 Feb 2006 64,512 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL1618.tmp"
Fri 3 Feb 2006 62,976 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL1927.tmp"
Fri 3 Feb 2006 62,976 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL2557.tmp"
Fri 3 Feb 2006 63,488 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL2633.tmp"
Fri 3 Feb 2006 64,512 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL3541.tmp"
Thu 3 Feb 2005 33,280 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Resume and Cover letters\~WRL0003.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 19 Nov 2007 1,356 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Tue 1 Jan 2008 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\SCOTTM~1.BAN\LOCALS~1\Temp\9bd9b4hpd9b40.exe"
Thu 11 May 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Scott M. Bantel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Scott M. Bantel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Scott M. Bantel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\Scott M. Bantel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

ComboFix 08-01-03.4 - Scott M. Bantel 2008-01-03 17:12:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT -5:00]
Running from: C:\Documents and Settings\Scott M. Bantel\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 16:52 . 2008-01-03 16:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-01 16:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-01 10:48 . 2008-01-01 16:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-01 10:48 . 2008-01-01 04:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-01 10:48 . 2008-01-01 04:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 10:48 . 2008-01-01 04:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 07:06 . 2008-01-01 07:06 <DIR> d-------- C:\ie-spyad_zo
2008-01-01 07:03 . 2008-01-01 07:03 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-01 07:03 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-01 05:38 . 2008-01-01 05:38 <DIR> d-------- C:\Deckard
2007-12-19 08:11 . 2007-12-19 08:11 23,405,072 --a------ C:\Program Files\AdbeRdr811_en_US.exe
2007-12-19 08:10 . 2007-12-19 08:10 711,024 --a------ C:\Program Files\DE04.ZIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-01-01 21:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-01 21:25 --------- d-----w C:\Program Files\iTunes
2008-01-01 21:24 --------- d-----w C:\Program Files\GoogleAFE
2008-01-01 21:24 --------- d-----w C:\Program Files\Google
2008-01-01 21:24 --------- d-----w C:\Program Files\ESPNRunTime
2008-01-01 21:23 --------- d-----w C:\Program Files\DIGStream
2008-01-01 21:23 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-01 21:18 --------- d-----w C:\Program Files\Apoint
2008-01-01 21:18 --------- d-----w C:\Program Files\AIM6
2008-01-01 10:41 --------- d-----w C:\Program Files\Trend Micro
2007-11-23 21:53 --------- d-----w C:\Program Files\iPod
2007-11-23 21:51 --------- d-----w C:\Program Files\QuickTime
2007-11-14 12:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 03:09 4,452 ----a-w C:\WINDOWS\system32\tmp.reg
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-04 04:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2006-02-16 23:03 405,568 ----a-w C:\Program Files\AOLDNLD.exe
2006-01-25 13:57 1,696 ----a-w C:\Program Files\main.ini
2006-01-25 13:57 1,001,064 ----a-w C:\Program Files\aolsetup.exe
2007-08-21 16:27 56 --sh--r C:\WINDOWS\system32\3A178CC52C.sys
2007-08-21 16:27 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-03_16.31.59.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-03 21:52:28 4,206,592 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-03 21:52:28 172,032 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-03 21:52:14 4,206,592 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-01-03 21:52:14 172,032 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39 176201]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 04:43 413775]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 17:35 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 21:05 339968]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30 823362]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-08 02:09 168448]
"HostManager"="C:\Program Files\Common Files\AOL\1140131099\ee\AOLSoftware.exe" [2006-05-09 19:24 50760]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18 101888]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-03 09:28 180269]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]

C:\Documents and Settings\Scott M. Bantel\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-10-13 08:54:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-02-08 01:59:48]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-02-08 01:55:11]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

R2 HPFECP13;HPFECP13;C:\WINDOWS\system32\drivers\HPFECP13.SYS [1999-04-09 02:07]
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-01-29 00:39]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 19:52:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 17:13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 17:13:54
ComboFix-quarantined-files.txt 2008-01-03 22:13:38
ComboFix2.txt 2008-01-03 21:32:18
.
2007-12-12 08:04:36 --- E O F ---

01-02-2008, 08:33 PM	#4 (permalink)
skattyb Registered User Join Date: Oct 2007 Posts: 30 OS: xp	Re: trojan downloader Ok, I went through the process and have copied the report and log onto this entry. The only problem I had was that I went to www.hijackthis.com but couldn't find a 'Do a System Scan and save a Logfile' to click on (the last step)...Let me know if there is something I am doing wrong or something else I need to do. Everything appears to be working fine, but like I said, I couldn't figure out the last step. Thanks for the help and below are the report and the log. SDFix: Version 1.122 Run by Scott M. Bantel on Thu 01/03/2008 at 04:57 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-03 17:04:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe" Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe" Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe" Tue 21 Aug 2007 56 ..SHR --- "C:\WINDOWS\system32\3A178CC52C.sys" Tue 21 Aug 2007 3,766 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Sat 14 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Tue 30 Nov 2004 25,600 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL1267.tmp" Tue 30 Nov 2004 26,624 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL2065.tmp" Tue 30 Nov 2004 24,576 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL2177.tmp" Tue 30 Nov 2004 25,088 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL2582.tmp" Tue 30 Nov 2004 25,600 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Civ Prac\~WRL3747.tmp" Tue 10 Jul 2007 28,672 ...H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Family\~WRL1106.tmp" Wed 14 Sep 2005 20,480 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Financials\~WRL0001.tmp" Fri 3 Feb 2006 62,976 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL0001.tmp" Fri 3 Feb 2006 62,976 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL0005.tmp" Fri 3 Feb 2006 64,512 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL1618.tmp" Fri 3 Feb 2006 62,976 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL1927.tmp" Fri 3 Feb 2006 62,976 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL2557.tmp" Fri 3 Feb 2006 63,488 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL2633.tmp" Fri 3 Feb 2006 64,512 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Moot Court\~WRL3541.tmp" Thu 3 Feb 2005 33,280 A..H. --- "C:\Documents and Settings\Scott M. Bantel\My Documents\Resume and Cover letters\~WRL0003.tmp" Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe" Mon 19 Nov 2007 1,356 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK" Tue 1 Jan 2008 0 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\SCOTTM~1.BAN\LOCALS~1\Temp\9bd9b4hpd9b40.exe" Thu 11 May 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp" Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Scott M. Bantel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp" Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Scott M. Bantel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp" Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Scott M. Bantel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp" Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\Scott M. Bantel\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp" Finished! ComboFix 08-01-03.4 - Scott M. Bantel 2008-01-03 17:12:03.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT -5:00] Running from: C:\Documents and Settings\Scott M. Bantel\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 ))))))))))))))))))))))))))))))) . 2008-01-03 16:52 . 2008-01-03 16:52 <DIR> d-------- C:\WINDOWS\ERUNT 2008-01-01 16:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-01 10:48 . 2008-01-01 16:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-01 10:48 . 2008-01-01 04:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-01 10:48 . 2008-01-01 04:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-01 10:48 . 2008-01-01 04:10 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-01 07:06 . 2008-01-01 07:06 <DIR> d-------- C:\ie-spyad_zo 2008-01-01 07:03 . 2008-01-01 07:03 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-01 07:03 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-01-01 05:38 . 2008-01-01 05:38 <DIR> d-------- C:\Deckard 2007-12-19 08:11 . 2007-12-19 08:11 23,405,072 --a------ C:\Program Files\AdbeRdr811_en_US.exe 2007-12-19 08:10 . 2007-12-19 08:10 711,024 --a------ C:\Program Files\DE04.ZIP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-03 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream 2008-01-01 21:27 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-01-01 21:25 --------- d-----w C:\Program Files\iTunes 2008-01-01 21:24 --------- d-----w C:\Program Files\GoogleAFE 2008-01-01 21:24 --------- d-----w C:\Program Files\Google 2008-01-01 21:24 --------- d-----w C:\Program Files\ESPNRunTime 2008-01-01 21:23 --------- d-----w C:\Program Files\DIGStream 2008-01-01 21:23 --------- d-----w C:\Program Files\Digital Line Detect 2008-01-01 21:18 --------- d-----w C:\Program Files\Apoint 2008-01-01 21:18 --------- d-----w C:\Program Files\AIM6 2008-01-01 10:41 --------- d-----w C:\Program Files\Trend Micro 2007-11-23 21:53 --------- d-----w C:\Program Files\iPod 2007-11-23 21:51 --------- d-----w C:\Program Files\QuickTime 2007-11-14 12:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll 2007-10-11 03:09 4,452 ----a-w C:\WINDOWS\system32\tmp.reg 2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll 2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll 2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll 2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll 2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll 2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll 2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll 2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll 2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll 2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll 2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll 2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll 2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll 2007-10-04 04:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe 2006-02-16 23:03 405,568 ----a-w C:\Program Files\AOLDNLD.exe 2006-01-25 13:57 1,696 ----a-w C:\Program Files\main.ini 2006-01-25 13:57 1,001,064 ----a-w C:\Program Files\aolsetup.exe 2007-08-21 16:27 56 --sh--r C:\WINDOWS\system32\3A178CC52C.sys 2007-08-21 16:27 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-01-03_16.31.59.39 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-01-03 21:52:28 4,206,592 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-01-03 21:52:28 172,032 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-01-03 21:52:14 4,206,592 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT + 2008-01-03 21:52:14 172,032 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 19:39 176201] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 04:43 413775] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 17:35 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 21:05 339968] "Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:30 823362] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-08 02:09 168448] "HostManager"="C:\Program Files\Common Files\AOL\1140131099\ee\AOLSoftware.exe" [2006-05-09 19:24 50760] "DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05 278528] "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18 101888] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-03 09:28 180269] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344] "IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59 124520] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048] C:\Documents and Settings\Scott M. Bantel\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-10-13 08:54:28] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-02-08 01:59:48] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-02-08 01:55:11] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40] Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04] R2 HPFECP13;HPFECP13;C:\WINDOWS\system32\drivers\HPFECP13.SYS [1999-04-09 02:07] S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-01-29 00:39] . Contents of the 'Scheduled Tasks' folder "2007-12-28 19:52:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-03 17:13:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-03 17:13:54 ComboFix-quarantined-files.txt 2008-01-03 22:13:38 ComboFix2.txt 2008-01-03 21:32:18 . 2007-12-12 08:04:36 --- E O F ---