Thread: UAC Virus/infection
View Single Post
Old 06-25-2009, 07:05 PM   #5 (permalink)
kwong
Registered User
 
Join Date: Jun 2009
Posts: 8
OS: xp


Re: UAC Virus/infection
ComboFix 09-06-25.01 - Bob 06/25/2009 19:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1537 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LICH
-------\Service_d034e143
-------\Service_lich


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-25 23:02 . 2009-06-25 23:02 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-25 03:07 . 2009-06-25 03:10 -------- d-----w- c:\documents and settings\Bob\.SunDownloadManager
2009-06-25 03:00 . 2009-06-25 03:00 -------- d-----w- c:\documents and settings\Bob\Application Data\HP
2009-06-25 02:53 . 2009-06-25 02:53 -------- d-----w- C:\rsit
2009-06-25 02:03 . 2009-06-25 02:03 -------- d-----w- c:\program files\7-Zip
2009-06-25 01:02 . 2009-06-25 01:02 -------- d-----w- c:\program files\Trend Micro
2009-06-24 03:46 . 2009-06-24 03:46 -------- d-----w- c:\documents and settings\Bob\Application Data\Uniblue
2009-06-24 02:51 . 2009-06-25 00:07 -------- d-----w- c:\documents and settings\Bob\.housecall6.6
2009-06-24 02:23 . 2009-06-24 02:23 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2009-06-23 22:17 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 22:17 . 2009-06-23 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 22:17 . 2009-06-23 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 22:17 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 00:24 . 2009-06-23 00:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-22 02:37 . 2009-06-22 04:57 -------- d-----w- c:\windows\DLL
2009-06-05 03:11 . 2009-06-05 03:11 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 22:45 . 2008-09-01 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-25 02:43 . 2005-08-26 09:40 -------- d-----w- c:\program files\Java
2009-06-24 04:05 . 2007-06-22 19:48 77504 ----a-w- c:\documents and settings\Bob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-24 03:43 . 2005-08-26 10:07 -------- d-----w- c:\program files\Google
2009-06-09 01:22 . 2006-02-25 16:32 -------- d-----w- c:\program files\Common Files\Adobe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\DLL ----



((((((((((((((((((((((((((((( SnapShot@2009-06-25_23.01.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 23:02 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-25 23:02 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-25 23:02 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-25 23:02 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-25 23:02 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-25 23:02 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-25 23:02 . 2008-04-14 00:12 108544 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-25 23:02 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-25 23:02 . 2008-04-14 00:11 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-25 23:02 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-25 23:02 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-25 23:02 . 2008-08-14 10:11 2189184 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-25 23:02 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-25 23:02 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/23/2009 6:46 AM 200192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/quicktime/download
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?5?9?5??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-26 20:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 01:00
ComboFix2.txt 2009-06-25 23:03

Pre-Run: 42,348,892,160 bytes free
Post-Run: 42,411,462,656 bytes free

135
Attached Files
File Type: txt combofixlog.txt (8.6 KB, 0 views)
kwong is offline