Thread: Kaspersky Reports Trojan (Zbot); Word, Other Progs Won't Run
View Single Post
Old 11-02-2008, 04:36 PM   #5 (permalink)
ppayzant
Registered User
 
Join Date: Mar 2007
Posts: 66
OS: winxp


Re: Kaspersky Reports Trojan (Zbot); Word, Other Progs Won't Run
Okay, that was fun. It didn't go exactly as described when I tried to load the Windows Recovery Console from my CD, but then I followed the directions for getting it from the MS web site, anf it seemed to work. Here's the ComboFix log and btw, I was also happy to make a PayPal contribution:

ComboFix 08-11-02.03 - Phil & Cindy 2008-11-02 19:21:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.619 [GMT -4:00]
Running from: C:\Documents and Settings\Phil & Cindy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Phil & Cindy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
Error: Cfolders.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-11-02 16:07 . 2008-11-02 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-02 16:07 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-11-02 16:07 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-11-01 13:10 . 2008-11-01 13:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-11-01 13:09 . 2008-11-01 13:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-11-01 13:09 . 2008-11-01 15:03 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-11-01 12:58 . 2008-11-01 12:58 <DIR> d-------- C:\Games
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Program Files\iTunes
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Program Files\iPod
2008-11-01 12:33 . 2008-11-01 12:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-01 12:32 . 2008-11-01 12:32 <DIR> d-------- C:\Program Files\Bonjour
2008-11-01 12:30 . 2008-11-01 12:31 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-11-01 12:30 . 2008-11-01 12:30 <DIR> d-------- C:\Program Files\Apple Software Update
2008-10-30 18:40 . 2008-11-02 15:57 141 --a------ C:\WINDOWS\system32\09wutili.sys
2008-10-30 18:39 . 2008-10-30 18:50 <DIR> d-------- C:\Program Files\WinUtilities
2008-10-29 19:59 . 2008-10-29 20:04 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\PowerHouse
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\TrojanHunter
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\Malwarebytes
2008-10-28 22:24 . 2008-10-28 22:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-10-28 22:11 . 2008-10-28 22:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-10-28 19:51 . 2008-10-29 18:36 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-10-27 14:58 . 2008-10-27 14:58 7,630 --a------ C:\WINDOWS\extend.dat
2008-10-26 18:34 . 2008-10-26 18:35 <DIR> d-------- C:\rsit
2008-10-24 16:08 . 2008-10-24 16:08 <DIR> d-------- C:\Program Files\MagicScore Music Software
2008-10-24 07:57 . 2008-10-15 12:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 21:48 . 2008-10-23 21:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-23 21:41 . 2008-10-25 20:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-10-23 20:18 . 2008-10-23 20:18 2,302,017 --a------ C:\WINDOWS\system32\GPhotos.scr
2008-10-23 19:16 . 2008-10-29 19:21 <DIR> d-------- C:\Program Files\Panda Security
2008-10-21 20:38 . 2008-10-21 20:38 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
2008-10-21 19:13 . 2008-10-21 19:13 <DIR> d-------- C:\Program Files\Machinist2DLL
2008-10-21 18:57 . 2008-10-21 19:43 <DIR> d-------- C:\Program Files\DVDneXtCOPY2
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\Program Files\Common Files\DVDnextCOPY2
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\Program Files\Common Files\DistributeShield
2008-10-21 18:57 . 2008-10-21 18:57 <DIR> d-------- C:\DVDneXtCopy
2008-10-15 06:53 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 06:52 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 06:52 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:52 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:52 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 06:52 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-06 18:45 . 2008-10-06 18:45 <DIR> d-------- C:\Documents and Settings\Phil & Cindy\Application Data\SlySoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 20:06 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\skypePM
2008-11-02 20:06 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\Skype
2008-11-01 16:31 --------- d-----w C:\Program Files\QuickTime
2008-10-29 22:32 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-10-29 17:00 --------- d-----w C:\Program Files\a-squared Anti-Malware
2008-10-26 00:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-26 00:38 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-10-23 22:09 --------- d-----w C:\Program Files\Canon
2008-10-23 21:55 --------- d-----w C:\Documents and Settings\Phil & Cindy\Application Data\Canon
2008-10-23 10:13 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-10-23 10:00 --------- d-----w C:\Program Files\Troll
2008-10-23 02:02 --------- d-----w C:\Program Files\Theseus and the Minotaur
2008-10-23 00:58 --------- d-----w C:\Program Files\Super Cubes
2008-10-23 00:58 --------- d-----w C:\Program Files\IObit
2008-10-23 00:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-23 00:57 --------- d-----w C:\Program Files\Rock Legend
2008-10-23 00:56 --------- d-----w C:\Program Files\Realore
2008-10-23 00:54 --------- d-----w C:\Program Files\Jets'n'Guns GOLD
2008-10-23 00:50 --------- d-----w C:\Program Files\Astro Avenger 2
2008-10-23 00:50 --------- d-----w C:\Program Files\Around the World in 80 Days
2008-10-22 01:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-22 00:38 --------- d-----w C:\Program Files\Google
2008-10-17 22:51 30 ----a-w C:\Documents and Settings\Phil & Cindy\jagex_runescape_preferences.dat
2008-10-06 23:22 --------- d-----w C:\Program Files\SlySoft
2008-09-28 15:45 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-09-23 23:04 --------- d-----w C:\Program Files\Atomic Alarm Clock
2008-09-21 17:08 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-21 17:08 --------- d--h--r C:\Documents and Settings\Phil & Cindy\Application Data\SecuROM
2008-09-18 09:43 --------- d-----w C:\Program Files\Marble Arena
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 23:26 --------- d-----w C:\Program Files\InterActual
2008-09-08 23:31 --------- d-----w C:\Program Files\AutoHotkey
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-29 13:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 12:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 07:46 74,752 ----a-w C:\WINDOWS\system32\msw3prt.dll
2008-08-28 07:46 104,960 ----a-w C:\WINDOWS\system32\win32spl.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-05-25 13:31 0 ----a-w C:\Program Files\temp01
2008-03-27 22:13 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2006-08-15 20:14 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-04-26 21:58 80 --sh--r C:\WINDOWS\system32\FF802AC291.dll
2007-02-11 19:43 624,725 --sha-w C:\WINDOWS\system32\rsetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SkinClock"="C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-11 1739264]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2005-06-02 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-10-19 2782352]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 86016]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-13 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\Phil & Cindy\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-16 51984]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2006-05-22 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2001-10-01 6144]
S3 KProcWatch;KProcWatch;C:\WINDOWS\system32\drivers\KProcWatch.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-11-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Phil & Cindy\Application Data\Mozilla\Firefox\Profiles\rjz2yl4p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 19:22:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-02 19:25:17
ComboFix-quarantined-files.txt 2008-11-02 23:24:58
ComboFix2.txt 2007-05-16 21:21:15

Pre-Run: 53,934,850,048 bytes free
Post-Run: 54,182,699,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

200 --- E O F --- 2008-11-01 19:04:12
ppayzant is offline