Quote:
Originally Posted by Angelfire777
Can you re-post all the contents of C:\Combofix.txt please.
|
Certainly
ComboFix 08-12-11.04 - Owner 2008-12-11 20:47:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.34 [GMT -8:00]
Command switches used :: c:\documents and settings\Owner\Desktop\Lobby\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\TDSSmqxt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.
2008-12-10 13:50 . 2008-12-10 13:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
2008-12-09 15:31 . 2008-12-09 15:34 1,374 --a------ c:\windows\imsins.BAK
2008-12-04 22:40 . 2008-12-04 22:40 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 22:07 . 2008-12-04 22:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 22:07 . 2008-12-04 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 21:07 . 2008-12-04 21:07 <DIR> d-------- c:\program files\Lavasoft
2008-12-04 21:07 . 2008-12-04 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 21:06 . 2008-12-04 21:06 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 14:41 . 2008-12-04 14:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 14:41 . 2008-12-04 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 14:41 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 14:41 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks
2008-12-04 14:30 . 2008-12-04 14:30 <DIR> d-------- c:\documents and settings\Administrator
2008-11-28 01:37 . 2008-11-28 01:37 <DIR> d-------- c:\documents and settings\Albany Inn\Application Data\Juniper Networks
2008-11-28 01:36 . 2008-11-28 01:37 <DIR> d-------- c:\documents and settings\Albany Inn
2008-11-27 08:57 . 2008-12-04 16:20 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-26 10:52 . 2008-11-29 04:43 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-26 10:52 . 2008-11-26 10:52 <DIR> d-------- c:\program files\AVG
2008-11-26 10:52 . 2008-11-29 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-26 10:52 . 2008-11-26 10:52 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-26 10:52 . 2008-11-26 10:52 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-26 10:52 . 2008-11-26 10:52 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-25 13:57 . 2008-04-13 16:12 26,112 --a------ c:\windows\system32\stu2.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:21 --------- d-----w c:\program files\GameHouse
2008-11-26 20:44 --------- d-----w c:\program files\Symantec
2008-11-26 20:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-26 19:14 --------- d-----w c:\program files\Shockwave.com
2008-11-26 19:01 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-26 18:59 --------- d-----w c:\program files\MySpace
2008-11-22 17:56 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-17 08:40 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-06-03 14:01 724,984 ----a-w c:\documents and settings\Owner\gotomypc_437.exe
2007-01-13 17:02 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-11-28 23:50 563,712 ----a-w c:\documents and settings\Owner\gotomypc_370.exe
2008-08-11 03:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-09-13 4621816]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MS AntiSpyware 2009"="c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" [2008-12-10 1110016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.MJPG"= c:\windows\m3jpeg32.dll
"vidc.dmb1"= c:\windows\m3jpeg32.dll
"vidc.GEOX"= c:\windows\system32\GeoCodec.dll
"vidc.GM20"= c:\windows\system32\GXGM20.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-11-27 02:04 1261336 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
-ra------ 2005-02-03 18:38 1851392 c:\program files\Support.com\bin\tgcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-26 97928]
R1 NEOFLTR_550_12491;Juniper Networks TDI Filter Driver (NEOFLTR_550_12491);\??\c:\windows\system32\Drivers\NEOFLTR_550_12491.SYS [2007-12-25 64144]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-26 76040]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1549de56-b82b-11dd-9212-0011115ceff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5e13a39-242e-11db-90f7-0011115ceff6}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eade6503-c458-11dc-919b-0011115ceff6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-InstallProgram - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4BQ6S1ZM\setup_110065_3_[1].exe
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.albany-inn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
c:\windows\Downloaded Program Files\popcaploader.dll - O16 -: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--7ef977fe-1f6b-4bbb-8939-8242fed46ce9/online/zuma_new/en/popcaploader_v10.cab
c:\windows\Downloaded Program Files\popcaploader.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-11 21:12:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-11 21:22:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-12 05:20:40
Pre-Run: 26,533,019,648 bytes free
Post-Run: 27,059,105,792 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
196 --- E O F --- 2008-12-09 23:35:16