Thread: possible Backdoor.PcClient.jhu infection
View Single Post
Old 12-11-2008, 02:58 PM   #8 (permalink)
#coin-op#
Registered User
 
Join Date: Apr 2006
Posts: 16
OS: xp


Re: possible Backdoor.PcClient.jhu infection
Ok I've run the CFScript again, here's the new log : )

ComboFix 08-12-07.04 - ANT 2008-12-11 21:45:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.215 [GMT 0:00]
Running from: c:\documents and settings\ANT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ANT\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-09 23:49 . 2008-12-09 23:49 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-07 21:07 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-04 17:32 . 2008-12-04 17:32 250 --a------ c:\windows\gmer.ini
2008-11-30 09:34 . 2008-11-30 09:34 <DIR> d-------- c:\program files\Panda Security
2008-11-26 20:22 . 2008-12-02 14:38 <DIR> d-------- c:\program files\REAPER
2008-11-26 20:22 . 2008-12-03 18:51 <DIR> d-------- c:\documents and settings\ANT\Application Data\REAPER
2008-11-23 19:59 . 2008-12-09 23:49 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-22 15:26 . 2008-11-22 15:41 81 --a------ c:\windows\WB.ini
2008-11-22 15:13 . 2008-11-22 15:13 <DIR> d-------- c:\program files\Stardock
2008-11-22 15:13 . 2007-07-11 15:06 42,672 --a------ c:\windows\system32\wbsys.dll
2008-11-12 17:42 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:37 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 21:42 --------- d-----w c:\program files\PeerGuardian2
2008-12-11 21:39 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-10 17:23 --------- d-----w c:\program files\Mozilla Sunbird
2008-12-10 07:44 --------- d-----w c:\documents and settings\ANT\Application Data\foobar2000
2008-12-09 23:49 --------- d-----w c:\program files\Java
2008-12-03 18:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 17:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 17:54 --------- d-----w c:\program files\SpywareBlaster
2008-11-18 16:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-01 15:43 --------- d-----w c:\program files\AlbumArtDownloader
2008-10-29 21:03 --------- d-----w c:\documents and settings\ANT\Application Data\Mp3tag
2008-10-29 19:02 --------- d-----w c:\program files\Mp3tag
2008-10-25 19:17 --------- d-----w c:\documents and settings\ANT\Application Data\SharePod
2008-10-25 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-25 18:21 --------- d-----w c:\program files\iPod
2008-10-25 18:10 --------- d-----w c:\documents and settings\ANT\Application Data\Apple Computer
2008-10-25 17:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-08_23.35.51.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 19:59:41 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-09 23:49:17 144,792 ----a-w c:\windows\system32\java.exe
- 2008-11-23 19:59:42 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-09 23:49:18 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-11-23 19:59:42 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-09 23:49:18 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-11 17:21:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_698.dat
+ 2008-12-11 17:20:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6d4.dat
+ 2008-12-11 17:21:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_8e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-06-30 2376928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-30 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-11-22 15:15 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTHelper"=CTHELPER.EXE
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"RTBatteryMeter"=c:\program files\VibrateGameDeviceDriver\RFPIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.8.4-enGB-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-07 28544]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2004-08-18 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-08-18 19240]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-09 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-09 20560]
R3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S2 Upsagent;Upsagent - UPS Monitor;c:\progra~1\Upsmon\Upsag_nt.exe []
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys []
S3 FNETNI2K;FNETNI2K Protocol Driver;\??\c:\windows\system32\FNETNI2K.SYS []
S3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2004-12-16 814464]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd4b38f8-6d49-11d9-8339-806d6172696f}]
\shell\play\command - "c:\program files\iTunes\iTunes.exe" /playCD "%L"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Convert To Image
IE: Download all with iGetter
IE: Download with iGetter
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {3F5168E6-379A-4F8A-8A1F-C5493F27BE69} = 192.168.1.1

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\ANT\Application Data\Mozilla\Firefox\Profiles\1ghrhp4a.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nptnt.dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(2).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(3).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(4).dll
FF -: plugin - c:\program files\Panda Security\ActiveScan 2.0\npwrapper(5).dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 21:48:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2008-12-11 21:49:30
ComboFix-quarantined-files.txt 2008-12-11 21:49:26
ComboFix2.txt 2008-12-09 17:39:56

Pre-Run: 75,920,621,568 bytes free
Post-Run: 75,953,057,792 bytes free

175 --- E O F --- 2008-11-12 18:00:48
#coin-op# is offline