Tech Support Forum - View Single Post

ijaved · 07-11-2008, 12:14 AM

CombFix Log

ComboFix 08-07-09.5 - Ibrar Javed 2008-07-10 20:18:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.409 [GMT 5:00]
Running from: C:\Documents and Settings\Ibrar Javed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ibrar Javed\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ismhasrv.exe
C:\WINDOWS\system32\mnmhhsrv.dll
C:\WINDOWS\system32\smmhbsrv.sys

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-10 12:24 . 2008-07-10 12:24 <DIR> d-------- C:\directory
2008-07-02 16:32 . 2008-07-02 16:32 <DIR> d----c--- C:\Program Files\Lavasoft
2008-07-02 16:32 . 2008-07-10 12:31 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-01 19:26 . 2008-07-10 12:31 <DIR> d----c--- C:\Program Files\Spyware Doctor
2008-07-01 19:26 . 2008-07-09 11:57 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 15:57 . 2008-07-01 15:57 <DIR> d----c--- C:\Deckard
2008-07-01 15:53 . 2008-07-01 15:54 <DIR> d----c--- C:\Program Files\Panda Security
2008-06-11 18:12 . 2008-06-13 18:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 19:40 . 2008-06-26 18:08 <DIR> d----c--- C:\SiteDirectory

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 15:31 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-10 14:48 9,728 ----a-w C:\WINDOWS\AppPatch\AclLayer.dll
2008-07-10 07:29 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-07-10 07:29 --------- dc----w C:\Program Files\IBMHttpServer
2008-07-10 07:26 --------- dc----w C:\Program Files\ibm
2008-07-07 11:36 --------- dc----w C:\Documents and Settings\Ibrar Javed\Application Data\SQLyog
2008-07-02 11:30 --------- dc----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 06:48 14,336 ----a-w C:\WINDOWS\AppPatch\DesktopWin.dll
2008-06-24 07:15 --------- dc----w C:\Documents and Settings\Ibrar Javed\Application Data\Skype
2008-06-24 06:55 --------- dc----w C:\Documents and Settings\Ibrar Javed\Application Data\skypePM
2008-06-17 13:47 --------- dc----w C:\Program Files\OpenOffice.org 2.3
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 20:59 --------- dc----w C:\Program Files\Windows Live
2008-06-05 11:56 --------- dc----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-05 09:45 --------- dc----w C:\Program Files\Windows Live Toolbar
2008-06-05 09:45 --------- dc----w C:\Program Files\Windows Live Favorites
2008-06-05 09:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-05 09:18 --------- dc----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-31 11:23 --------- dc----w C:\Program Files\AviSynth 2.5
2008-05-31 11:21 --------- dc----w C:\Program Files\eRightSoft
2008-05-16 14:30 --------- dc----w C:\Documents and Settings\Ibrar Javed\Application Data\SSH
2008-05-15 07:04 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 10:33 100,264 -c--a-w C:\Documents and Settings\Ibrar Javed\DimdimSetup.exe
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-29 16:02 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-10-31 11:36 11,549 -c--a-w C:\Documents and Settings\Ibrar Javed\ntuserdirect.dat
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2004-08-08 10:02 538,632 --sh--w C:\WINDOWS\system32\hdf453d1.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
2004-08-08 10:01 1,040 --sh--w C:\WINDOWS\system32\xscqbhlp.sys
2004-08-08 10:01 20,049 --sh--w C:\WINDOWS\system32\zscqahlp.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-10_19.47.55.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-10 12

50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 15:24:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-10 12:11:16 228,510 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-07-10 15:28:17 228,506 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-07-10 15:24:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2f4.dat
+ 2008-07-10 15:24:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_678.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA59145F-315D-BC23-AC1F-145DF81A34AA}]
2004-08-08 20:40 537608 ---hs---- C:\WINDOWS\system32\zyzxjime.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 10:32 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 10:29 77824]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 10:32 114688]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.EXE" [2006-10-11 15:38 3335944]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 18:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 18:38 688218]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-25 05:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 13:40 124656]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-06 13:56 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 11:12 243240]
"MsmqIntCert"="mqrt.dll" [2007-07-06 17:46 177152 C:\WINDOWS\system32\mqrt.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 11:20 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-04-07 01:42:52 217190]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-08-16 11:56:00 577597]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]
VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-08-17 16:10:37 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C629FF4F-ACDB-5C90-A098-FACB3456A26C}"= "C:\WINDOWS\system32\hdf453d1.dll" [2004-08-08 15:02 538632]
"{8C8D1401-A58D-A81C-CD24-A5915C4517C8}"= "C:\WINDOWS\system32\mnmhhsrv.dll" [2004-08-08 20:35 539144]
"{7FD45A54-9875-698F-E56E-65102358FDF7}"= "C:\WINDOWS\system32\apsggjba.dll" [2004-08-08 20:36 537608]
"{470165F1-9F65-569F-F895-F14F58F41074}"= "C:\WINDOWS\system32\lofsdjbo.dll" [2004-08-08 20:36 534024]
"{8A041F13-A111-12A3-B0CF-F99818AA68A8}"= "C:\WINDOWS\system32\zxmsewin.dll" [2004-08-08 20:38 536584]
"{45671234-7890-ABCD-CDEF-567801237654}"= "C:\WINDOWS\system32\yxcsdhlp.dll" [2004-08-08 20:39 534024]
"{2A698452-C5D8-C584-C256-C264C987C5A2}"= "C:\WINDOWS\system32\ijdybpaw.dll" [2004-08-08 20:40 535048]
"{AA59145F-315D-BC23-AC1F-145DF81A34AA}"= "C:\WINDOWS\system32\zyzxjime.dll" [2004-08-08 20:40 537608]
"{14698742-2059-3025-9058-954023874141}"= "C:\WINDOWS\system32\jkhxaklo.dll" [2004-08-08 20:40 537096]
"{A1954FAC-1023-154F-895A-1458258AD81A}"= "C:\WINDOWS\system32\ypdjhbmp.dll" [2004-08-08 20:41 537608]
"{9319A1F1-9410-9654-3201-345FFA349139}"= "C:\WINDOWS\system32\zywmiime.dll" [2004-08-08 20:41 538120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DesktopWin"= {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll [2008-06-30 11:48 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\j2sdk1.4.2_10\\bin\\java.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\ibm\\WebSphere MQ\\bin\\runmqlsr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"D:\\F1 2002\\f1_2002.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"C:\\Program Files\\UltraVNC\\vncviewer.exe"=
"C:\\Program Files\\UltraVNC\\winvnc.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_12\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 afpa;afpa;C:\WINDOWS\system32\drivers\afpa.sys [2003-10-10 01:29]
R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 13:53]
R2 fsssvc;Windows Live OneCare Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 11:13]
R2 HttpAnalyzerV3 DllInjectService;HttpAnalyzerV3 CodeHook service;C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe [2008-01-05 23:03]
R2 paldrv;paldrv;C:\WINDOWS\system32\pal_drv.sys [2007-02-12 02:19]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
R3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys [2008-07-10 20:39]
S2 MSSQL$ASCENTCAPTURE;MSSQL$ASCENTCAPTURE;C:\Program Files\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlservr.exe []
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys [2008-01-14 16:55]
S3 ES-620;Edisonsoft ES-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\ES-620.sys [2003-04-17 14:42]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 SQLAgent$ASCENTCAPTURE;SQLAgent$ASCENTCAPTURE;C:\Program Files\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlagent.EXE []
S3 Tomcat5;Apache Tomcat;d:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe [2007-03-05 20:26]
S3 VSPerfDrv;Performance Tools Driver;d:\Program Files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [2005-09-23 02:42]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25c046d8-3365-11dc-bd2d-0014381afade}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{509731d2-84b0-11dc-bd47-00150002263f}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc73a547-b59d-11da-b8c7-a79975c87d6c}]
\Shell\AutoRun\command - F:\udr.com
\Shell\explore\Command - F:\udr.com
\Shell\open\Command - F:\udr.com

*Newly Created Service* - CDRALW
*Newly Created Service* - ETH8023
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 20:25:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\fzmsbwin.sys 520 bytes
C:\WINDOWS\system32\ijsgajba.sys 36 bytes
C:\WINDOWS\system32\ismhasrv.exe 18970 bytes executable
C:\WINDOWS\system32\apsggjba.dll 537608 bytes executable
C:\WINDOWS\system32\xbfsbjbo.sys 520 bytes
C:\WINDOWS\system32\xsdjbbmp.sys
C:\WINDOWS\system32\xzcsbhlp.sys 520 bytes
C:\WINDOWS\system32\ypdjhbmp.dll
C:\WINDOWS\system32\yxcsdhlp.dll 517120 bytes executable
C:\WINDOWS\system32\zxcsahlp.exe
C:\WINDOWS\system32\zxmsewin.dll 536584 bytes executable
C:\WINDOWS\system32\zywmiime.dll
C:\WINDOWS\system32\zyzxjime.dll 104960 bytes executable

scan completed successfully
hidden files: 14

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_ibrarlaptop_server1]
"ImagePath"="C:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cdralw]
"ImagePath"="system32\DRIVERS\nvmini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_ibrarlaptop_server1]
"ImagePath"="C:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\AppPatch\AclLayer.dll
-> C:\WINDOWS\AppPatch\AcXtrnel.bpl
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\SSL VPN Client\Agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2008-07-10 21:01:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-10 16:00:20
ComboFix2.txt 2008-07-10 14:48:21

Pre-Run: 2,304,978,944 bytes free
Post-Run: 2,252,300,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

265 --- E O F --- 2008-06-30 22:05:43

HijackThisLog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:58 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cobra:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 202.165.102.205 972.aksjd11.com
O1 - Hosts: 202.165.102.205 w3og.cn
O1 - Hosts: 203.208.35.100 qazc.fourtw.cn
O1 - Hosts: 203.208.35.100 www.aujoy.cn
O1 - Hosts: 203.208.35.101 www.hao601.cn
O1 - Hosts: 203.208.35.101 www.psp476.cn
O1 - Hosts: 72.14.235.99 222.1212l112.net
O1 - Hosts: 72.14.235.99 444.1212l112.netn
O1 - Hosts: 72.14.235.99 555.1212l112.net
O1 - Hosts: 72.14.235.99 111.1212l112.net
O1 - Hosts: 65.55.21.250 111.3243l24.com
O1 - Hosts: 65.55.21.250 222.3243l24.com
O1 - Hosts: 65.55.21.250 333.3243l24.com
O1 - Hosts: 125.64.8.112 kao2.gmwo03.com
O1 - Hosts: 125.64.8.112 kao.gmwo06.com
O1 - Hosts: 125.64.8.112 444.gmwo07.com
O1 - Hosts: 116.252.185.15 ru.update365.us
O1 - Hosts: 116.252.185.15 ad.update365.us
O1 - Hosts: 207.46.232.182 popmails.net
O1 - Hosts: 203.208.37.99 3.goodhh.com
O1 - Hosts: 220.181.37.55 down.rwixr.com
O1 - Hosts: 160.79.42.52 www.xdj2008.com
O1 - Hosts: 63.175.76.152 www.revtr.cn
O1 - Hosts: 219.133.40.91 qq.ljsll.com
O1 - Hosts: 203.208.35.102 www.aassccwe.cn
O1 - Hosts: 209.132.177.50 973.aksjd11.com
O1 - Hosts: 209.132.177.50 974.aksjd11.com
O1 - Hosts: 209.132.177.50 971.aksjd11.com
O1 - Hosts: 209.132.177.50 975.aksjd11.com
O1 - Hosts: 72.14.235.104 user1.12-39.net
O1 - Hosts: 72.14.235.147 www.infomt.net
O1 - Hosts: 192.150.18.101 ata1.sysions.net
O1 - Hosts: 192.150.18.101 ata2.sysions.net
O1 - Hosts: 192.150.18.101 ata3.sysions.net
O1 - Hosts: 192.150.18.101 ata4.sysions.net
O1 - Hosts: 193.120.42.226 8nnnnn99.cn
O1 - Hosts: 24.39.54.34 www.haoaoao.cn
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: zyzxjime.dll - {AA59145F-315D-BC23-AC1F-145DF81A34AA} - C:\WINDOWS\system32\zyzxjime.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: IE HTTPAnalyzer V3 - {3B28142E-6D05-47AB-A263-0556C785EBB4} - C:\PROGRA~1\IEINSP~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra 'Tools' menuitem: IE HTTPAnalyzer V3 - {3B28142E-6D05-47AB-A263-0556C785EBB4} - C:\PROGRA~1\IEINSP~1\HTTPAN~1\IEHTTP~1.DLL
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://vpn.behr.com/CACHE/webvpn/st...ies/stcweb.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://portal.xelleration.com/Projec...33/pjcintl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://xelleration.webex.com/client...ex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lgac.local
O17 - HKLM\Software\..\Telephony: DomainName = lgac.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{10A24A8C-20AB-4731-AC09-C953C60D18F2}: NameServer = 192.168.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C032C55-C770-4C92-AD92-8A4A54835C88}: NameServer = 192.168.0.1,192.168.0.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lgac.local
O18 - Protocol: HTLFP - (no CLSID) - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vfsp - (no CLSID) - (no file)
O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HttpAnalyzerV3 CodeHook service (HttpAnalyzerV3 DllInjectService) - Unknown owner - C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$ASCENTCAPTURE - Unknown owner - C:\Program Files\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlservr.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SQLAgent$ASCENTCAPTURE - Unknown owner - C:\Program Files\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlagent.EXE (file missing)
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - d:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_ibrarlaptop_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_ibrarlaptop_server1) - Unknown owner - C:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/IBRARJ~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

--
End of file - 15840 bytes

07-11-2008, 12:14 AM	#3 (permalink)
ijaved Registered User Join Date: Jul 2008 Posts: 2 OS: XP	Re: Help Required with Infostealer.Gamepass CombFix Log ComboFix 08-07-09.5 - Ibrar Javed 2008-07-10 20:18:15.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.409 [GMT 5:00] Running from: C:\Documents and Settings\Ibrar Javed\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Ibrar Javed\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ismhasrv.exe C:\WINDOWS\system32\mnmhhsrv.dll C:\WINDOWS\system32\smmhbsrv.sys . ((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 ))))))))))))))))))))))))))))))) . 2008-07-10 12:24 . 2008-07-10 12:24 <DIR> d-------- C:\directory 2008-07-02 16:32 . 2008-07-02 16:32 <DIR> d----c--- C:\Program Files\Lavasoft 2008-07-02 16:32 . 2008-07-10 12:31 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-07-01 19:26 . 2008-07-10 12:31 <DIR> d----c--- C:\Program Files\Spyware Doctor 2008-07-01 19:26 . 2008-07-09 11:57 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-01 15:57 . 2008-07-01 15:57 <DIR> d----c--- C:\Deckard 2008-07-01 15:53 . 2008-07-01 15:54 <DIR> d----c--- C:\Program Files\Panda Security 2008-06-11 18:12 . 2008-06-13 18:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-10 19:40 . 2008-06-26 18:08 <DIR> d----c--- C:\SiteDirectory . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-10 15:31 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-07-10 14:48 9,728 ----a-w C:\WINDOWS\AppPatch\AclLayer.dll 2008-07-10 07:29 --------- dc-h--w C:\Program Files\InstallShield Installation Information 2008-07-10 07:29 --------- dc----w C:\Program Files\IBMHttpServer 2008-07-10 07:26 --------- dc----w C:\Program Files\ibm 2008-07-07 11:36 --------- dc----w C:\Documents and Settings\Ibrar Javed\Application Data\SQLyog 2008-07-02 11:30 --------- dc----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-30 06:48 14,336 ----a-w C:\WINDOWS\AppPatch\DesktopWin.dll 2008-06-24 07:15 --------- dc----w C:\Documents and Settings\Ibrar Javed\Application Data\Skype 2008-06-24 06:55 --------- dc----w C:\Documents and Settings\Ibrar Javed\Application Data\skypePM 2008-06-17 13:47 --------- dc----w C:\Program Files\OpenOffice.org 2.3 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-06 20:59 --------- dc----w C:\Program Files\Windows Live 2008-06-05 11:56 --------- dc----w C:\Program Files\Microsoft SQL Server Compact Edition 2008-06-05 09:45 --------- dc----w C:\Program Files\Windows Live Toolbar 2008-06-05 09:45 --------- dc----w C:\Program Files\Windows Live Favorites 2008-06-05 09:32 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-05 09:18 --------- dc----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-31 11:23 --------- dc----w C:\Program Files\AviSynth 2.5 2008-05-31 11:21 --------- dc----w C:\Program Files\eRightSoft 2008-05-16 14:30 --------- dc----w C:\Documents and Settings\Ibrar Javed\Application Data\SSH 2008-05-15 07:04 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-25 10:33 100,264 -c--a-w C:\Documents and Settings\Ibrar Javed\DimdimSetup.exe 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2007-11-29 16:02 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2007-10-31 11:36 11,549 -c--a-w C:\Documents and Settings\Ibrar Javed\ntuserdirect.dat 2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2004-08-08 10:02 538,632 --sh--w C:\WINDOWS\system32\hdf453d1.dll 2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll 2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll 2004-08-08 10:01 1,040 --sh--w C:\WINDOWS\system32\xscqbhlp.sys 2004-08-08 10:01 20,049 --sh--w C:\WINDOWS\system32\zscqahlp.exe . ((((((((((((((((((((((((((((( snapshot@2008-07-10_19.47.55.60 ))))))))))))))))))))))))))))))))))))))))) . - 2008-07-10 1250 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-07-10 15:24:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-07-10 12:11:16 228,510 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-07-10 15:28:17 228,506 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2008-07-10 15:24:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2f4.dat + 2008-07-10 15:24:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_678.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA59145F-315D-BC23-AC1F-145DF81A34AA}] 2004-08-08 20:40 537608 ---hs---- C:\WINDOWS\system32\zyzxjime.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 10:32 94208] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 10:29 77824] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 10:32 114688] "DownloadAccelerator"="C:\Program Files\DAP\DAP.EXE" [2006-10-11 15:38 3335944] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 18:40 98394] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 18:38 688218] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-25 05:14 53408] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 13:40 124656] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-06 13:56 185896] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 11:12 243240] "MsmqIntCert"="mqrt.dll" [2007-07-06 17:46 177152 C:\WINDOWS\system32\mqrt.dll] "AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 11:20 88363 C:\WINDOWS\AGRSMMSG.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-04-07 01:42:52 217190] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-08-16 11:56:00 577597] Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308] VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-08-17 16:10:37 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "EnableShellExecuteHooks"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{C629FF4F-ACDB-5C90-A098-FACB3456A26C}"= "C:\WINDOWS\system32\hdf453d1.dll" [2004-08-08 15:02 538632] "{8C8D1401-A58D-A81C-CD24-A5915C4517C8}"= "C:\WINDOWS\system32\mnmhhsrv.dll" [2004-08-08 20:35 539144] "{7FD45A54-9875-698F-E56E-65102358FDF7}"= "C:\WINDOWS\system32\apsggjba.dll" [2004-08-08 20:36 537608] "{470165F1-9F65-569F-F895-F14F58F41074}"= "C:\WINDOWS\system32\lofsdjbo.dll" [2004-08-08 20:36 534024] "{8A041F13-A111-12A3-B0CF-F99818AA68A8}"= "C:\WINDOWS\system32\zxmsewin.dll" [2004-08-08 20:38 536584] "{45671234-7890-ABCD-CDEF-567801237654}"= "C:\WINDOWS\system32\yxcsdhlp.dll" [2004-08-08 20:39 534024] "{2A698452-C5D8-C584-C256-C264C987C5A2}"= "C:\WINDOWS\system32\ijdybpaw.dll" [2004-08-08 20:40 535048] "{AA59145F-315D-BC23-AC1F-145DF81A34AA}"= "C:\WINDOWS\system32\zyzxjime.dll" [2004-08-08 20:40 537608] "{14698742-2059-3025-9058-954023874141}"= "C:\WINDOWS\system32\jkhxaklo.dll" [2004-08-08 20:40 537096] "{A1954FAC-1023-154F-895A-1458258AD81A}"= "C:\WINDOWS\system32\ypdjhbmp.dll" [2004-08-08 20:41 537608] "{9319A1F1-9410-9654-3201-345FFA349139}"= "C:\WINDOWS\system32\zywmiime.dll" [2004-08-08 20:41 538120] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "DesktopWin"= {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll [2008-06-30 11:48 14336] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "VIDC.YV12"= yv12vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\mqsvc.exe"= "C:\\j2sdk1.4.2_10\\bin\\java.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\ibm\\WebSphere MQ\\bin\\runmqlsr.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\DAP\\DAP.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "D:\\F1 2002\\f1_2002.exe"= "C:\\WINDOWS\\system32\\rtcshare.exe"= "C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"= "C:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"= "C:\\Program Files\\UltraVNC\\vncviewer.exe"= "C:\\Program Files\\UltraVNC\\winvnc.exe"= "C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Java\\jdk1.5.0_12\\bin\\javaw.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R2 afpa;afpa;C:\WINDOWS\system32\drivers\afpa.sys [2003-10-10 01:29] R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 13:53] R2 fsssvc;Windows Live OneCare Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 11:13] R2 HttpAnalyzerV3 DllInjectService;HttpAnalyzerV3 CodeHook service;C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe [2008-01-05 23:03] R2 paldrv;paldrv;C:\WINDOWS\system32\pal_drv.sys [2007-02-12 02:19] R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22] R3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys [2008-07-10 20:39] S2 MSSQL$ASCENTCAPTURE;MSSQL$ASCENTCAPTURE;C:\Program Files\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlservr.exe [] S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [] S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys [2008-01-14 16:55] S3 ES-620;Edisonsoft ES-620 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\ES-620.sys [2003-04-17 14:42] S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56] S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56] S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56] S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56] S3 SQLAgent$ASCENTCAPTURE;SQLAgent$ASCENTCAPTURE;C:\Program Files\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlagent.EXE [] S3 Tomcat5;Apache Tomcat;d:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe [2007-03-05 20:26] S3 VSPerfDrv;Performance Tools Driver;d:\Program Files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [2005-09-23 02:42] S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 07:01] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25c046d8-3365-11dc-bd2d-0014381afade}] \Shell\Auto\command - auto.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{509731d2-84b0-11dc-bd47-00150002263f}] \Shell\Auto\command - auto.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc73a547-b59d-11da-b8c7-a79975c87d6c}] \Shell\AutoRun\command - F:\udr.com \Shell\explore\Command - F:\udr.com \Shell\open\Command - F:\udr.com Newly Created Service - CDRALW Newly Created Service - ETH8023 . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-10 20:25:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\gpsgajba.sys C:\WINDOWS\system32\fzmsbwin.sys 520 bytes C:\WINDOWS\system32\ijsgajba.sys 36 bytes C:\WINDOWS\system32\ismhasrv.exe 18970 bytes executable C:\WINDOWS\system32\apsggjba.dll 537608 bytes executable C:\WINDOWS\system32\xbfsbjbo.sys 520 bytes C:\WINDOWS\system32\xsdjbbmp.sys C:\WINDOWS\system32\xzcsbhlp.sys 520 bytes C:\WINDOWS\system32\ypdjhbmp.dll C:\WINDOWS\system32\yxcsdhlp.dll 517120 bytes executable C:\WINDOWS\system32\zxcsahlp.exe C:\WINDOWS\system32\zxmsewin.dll 536584 bytes executable C:\WINDOWS\system32\zywmiime.dll C:\WINDOWS\system32\zyzxjime.dll 104960 bytes executable scan completed successfully hidden files: 14 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_ibrarlaptop_server1] "ImagePath"="C:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cdralw] "ImagePath"="system32\DRIVERS\nvmini.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL] "ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebSphereEmbeddedMessagingPublishAndSubscribeWAS_ibrarlaptop_server1] "ImagePath"="C:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\AppPatch\AclLayer.dll -> C:\WINDOWS\AppPatch\AcXtrnel.bpl . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Cisco Systems\SSL VPN Client\Agent.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\mnmsrvc.exe C:\WINDOWS\system32\msdtc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\system32\snmp.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe C:\Program Files\Symantec AntiVirus\DoScan.exe . ************************************************************************ . Completion time: 2008-07-10 21:01:06 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-10 16:00:20 ComboFix2.txt 2008-07-10 14:48:21 Pre-Run: 2,304,978,944 bytes free Post-Run: 2,252,300,288 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 265 --- E O F --- 2008-06-30 22:05:43 HijackThisLog Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:11:58 PM, on 7/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Windows Live\Family Safety\fsssvc.exe C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\mnmsrvc.exe C:\WINDOWS\System32\msdtc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\DAP\DAP.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Windows Live\Family Safety\fssui.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\igfxsrvc.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Symantec AntiVirus\DoScan.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cobra:6588 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O1 - Hosts: 202.165.102.205 972.aksjd11.com O1 - Hosts: 202.165.102.205 w3og.cn O1 - Hosts: 203.208.35.100 qazc.fourtw.cn O1 - Hosts: 203.208.35.100 www.aujoy.cn O1 - Hosts: 203.208.35.101 www.hao601.cn O1 - Hosts: 203.208.35.101 www.psp476.cn O1 - Hosts: 72.14.235.99 222.1212l112.net O1 - Hosts: 72.14.235.99 444.1212l112.netn O1 - Hosts: 72.14.235.99 555.1212l112.net O1 - Hosts: 72.14.235.99 111.1212l112.net O1 - Hosts: 65.55.21.250 111.3243l24.com O1 - Hosts: 65.55.21.250 222.3243l24.com O1 - Hosts: 65.55.21.250 333.3243l24.com O1 - Hosts: 125.64.8.112 kao2.gmwo03.com O1 - Hosts: 125.64.8.112 kao.gmwo06.com O1 - Hosts: 125.64.8.112 444.gmwo07.com O1 - Hosts: 116.252.185.15 ru.update365.us O1 - Hosts: 116.252.185.15 ad.update365.us O1 - Hosts: 207.46.232.182 popmails.net O1 - Hosts: 203.208.37.99 3.goodhh.com O1 - Hosts: 220.181.37.55 down.rwixr.com O1 - Hosts: 160.79.42.52 www.xdj2008.com O1 - Hosts: 63.175.76.152 www.revtr.cn O1 - Hosts: 219.133.40.91 qq.ljsll.com O1 - Hosts: 203.208.35.102 www.aassccwe.cn O1 - Hosts: 209.132.177.50 973.aksjd11.com O1 - Hosts: 209.132.177.50 974.aksjd11.com O1 - Hosts: 209.132.177.50 971.aksjd11.com O1 - Hosts: 209.132.177.50 975.aksjd11.com O1 - Hosts: 72.14.235.104 user1.12-39.net O1 - Hosts: 72.14.235.147 www.infomt.net O1 - Hosts: 192.150.18.101 ata1.sysions.net O1 - Hosts: 192.150.18.101 ata2.sysions.net O1 - Hosts: 192.150.18.101 ata3.sysions.net O1 - Hosts: 192.150.18.101 ata4.sysions.net O1 - Hosts: 193.120.42.226 8nnnnn99.cn O1 - Hosts: 24.39.54.34 www.haoaoao.cn O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: zyzxjime.dll - {AA59145F-315D-BC23-AC1F-145DF81A34AA} - C:\WINDOWS\system32\zyzxjime.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKLM\..\Policies\Explorer\Run: [] O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: IE HTTPAnalyzer V3 - {3B28142E-6D05-47AB-A263-0556C785EBB4} - C:\PROGRA~1\IEINSP~1\HTTPAN~1\IEHTTP~1.DLL O9 - Extra 'Tools' menuitem: IE HTTPAnalyzer V3 - {3B28142E-6D05-47AB-A263-0556C785EBB4} - C:\PROGRA~1\IEINSP~1\HTTPAN~1\IEHTTP~1.DLL O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://vpn.behr.com/CACHE/webvpn/st...ies/stcweb.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://portal.xelleration.com/Projec...33/pjcintl.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://xelleration.webex.com/client...ex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lgac.local O17 - HKLM\Software\..\Telephony: DomainName = lgac.local O17 - HKLM\System\CCS\Services\Tcpip\..\{10A24A8C-20AB-4731-AC09-C953C60D18F2}: NameServer = 192.168.0.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{2C032C55-C770-4C92-AD92-8A4A54835C88}: NameServer = 192.168.0.1,192.168.0.3 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lgac.local O18 - Protocol: HTLFP - (no CLSID) - (no file) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: vfsp - (no CLSID) - (no file) O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file) O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: HttpAnalyzerV3 CodeHook service (HttpAnalyzerV3 DllInjectService) - Unknown owner - C:\Program Files\IEInspector\HTTPAnalyzerFullV3\InjectWinSockServiceV3.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MSSQL$ASCENTCAPTURE - Unknown owner - C:\Program Files\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlservr.exe (file missing) O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SQLAgent$ASCENTCAPTURE - Unknown owner - C:\Program Files\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlagent.EXE (file missing) O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - d:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_ibrarlaptop_server1 (WebSphereEmbeddedMessagingPublishAndSubscribeWAS_ibrarlaptop_server1) - Unknown owner - C:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing) O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/IBRARJ~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg -- End of file - 15840 bytes