|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Virus/Trojan/Spyware Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
LinkBack | Thread Tools |
09-18-2009, 12:47 PM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2009
Posts: 2
OS: windows xp
|
Help with clickker.cn virus, combofix already ran
I believe I got infected with the clikker.cn virus. I found a similar thread on your website. I ran combofix.exe and it generated this two .txt files:
Do I need to re-run combo fix? am I still infected? 1st file - Combofix.txt. Notepad ComboFix 09-09-17.04 - Administrator 09/18/2009 12:50.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1529 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\lopezaj\protect.dll c:\documents and settings\lopezaj\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\lopezaj\Start Menu\Programs\Startup\ChkDisk.lnk c:\program files\Shared c:\program files\Shared\lib.sig c:\recycler\S-1-5-21-1409082233-839522115-70264643-500 c:\recycler\S-1-5-21-174175183-3804504684-3839665979-500 c:\recycler\S-1-5-21-2480539269-3580507064-3469805443-500 c:\windows\Installer\104cc1.msi c:\windows\Installer\4bed58f.msp c:\windows\system32\6to4v32.dll c:\windows\system32\autochk.dll c:\windows\system32\certstore.dat c:\windows\system32\drivers\gasfkyxumrppwh.sys c:\windows\system32\gasfkybirfqilt.dll c:\windows\system32\gasfkycopcycbv.dll c:\windows\system32\gasfkydjomqppx.dat c:\windows\system32\gasfkylespwcme.dat c:\windows\system32\gasfkynssrpuwc.dll c:\windows\system32\mndisk.sys C:\xcrashdump.dat c:\windows\system32\drivers\str.sys . . . . failed to delete ----- BITS: Possible infected sites ----- hxxp://JFKSM01.ccc.coopcam.com:80 hxxp://atlsm01.ccc.coopcam.com:80 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_gasfkyflxbeyxy -------\Legacy_gasfkyflxbeyxy -------\Legacy_6TO4 -------\Legacy_MNDISK -------\Service_6to4 -------\Service_mndisk ((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 ))))))))))))))))))))))))))))))) . 2009-09-18 18:00 . 2009-09-18 18:00 213024 ------w- c:\windows\system32\drivers\str.sys 2009-09-18 16:53 . 2009-09-18 16:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TechSmith 2009-09-15 21:17 . 2009-09-15 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\GroupPolicy 2009-09-09 13:01 . 2009-09-09 13:42 -------- d-----w- c:\documents and settings\lopezaj\Application Data\webex . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-18 16:50 . 2007-07-30 18:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Passlogix 2009-09-18 13:54 . 2007-12-13 14:23 -------- d-----w- c:\documents and settings\lopezaj\Application Data\Passlogix 2009-09-10 17:44 . 2007-07-27 13:05 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-07-22 14:23 . 2007-07-30 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll 2006-12-29 21:15 . 2007-07-30 16:36 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll 2006-12-29 21:15 . 2007-07-30 16:36 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll 2006-12-29 21:15 . 2007-07-30 16:36 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll 2006-12-29 21:15 . 2007-07-30 16:36 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx 2006-12-07 16:26 . 2007-07-30 16:36 1129984 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt 2006-12-07 16:26 . 2007-07-30 16:36 1124864 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-07-30 180269] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008] "Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5160288] "Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2008-07-09 1036848] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] c:\documents and settings\lopezaj\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464] VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2007-12-13 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1682526488-725345543-2036\Scripts\Logon\0\0] "Script"=sapscriptset.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1682526488-725345543-2036\Scripts\Logon\1\0] "Script"=camsplash.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1682526488-725345543-29483\Scripts\Logon\0\0] "Script"=sapscriptset.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1682526488-725345543-29483\Scripts\Logon\1\0] "Script"=camsplash.vbs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [7/30/2007 1:57 PM 251578] R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/10/2006 6:27 PM 48140] R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [12/10/2006 6:27 PM 204800] R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [12/10/2006 6:27 PM 17664] R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [7/9/2008 6:05 PM 18704] R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120] R2 FiberlinkMonitor;Fiberlink Monitor Service;c:\program files\Fiberlink\Extend360\WENGINE\wmonitor.exe [7/11/2005 10:58 AM 65604] R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 12:14 PM 134656] R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 4:16 PM 17536] R3 EuMusDesignVirtualAudioCableWdm;PC2TV Audio;c:\windows\system32\drivers\PC2TVAudio.sys [4/4/2007 8:24 PM 38528] R3 PC2TV;PC2TV_Display_Driver;c:\windows\system32\drivers\PC2TV.sys [4/12/2007 1:52 PM 25344] R3 PC2TVMirror;PC2TVMirror_Display_Driver;c:\windows\system32\drivers\PC2TVMirror.sys [4/12/2007 1:48 PM 25344] S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?] S2 InFocus Mirror Driver Service;InFocus Mirror Driver Service;c:\program files\InFocus\LiteShow II\TLA\ifclsmrsvc.exe [2/6/2009 10:02 AM 53248] . Contents of the 'Scheduled Tasks' folder 2009-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1682526488-725345543-2036Core.job - c:\documents and settings\lopezaj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-05 17:57] 2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1682526488-725345543-2036UA.job - c:\documents and settings\lopezaj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-05 17:57] 2009-09-18 c:\windows\Tasks\MP Scheduled Quick Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 23:05] 2009-09-18 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 23:05] 2009-09-18 c:\windows\Tasks\MP Scheduled Signature Update.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 23:05] . . ------- Supplementary Scan ------- . uStart Page = https://intranet.c-a-m.com uInternet Connection Wizard,ShellNext = hxxp://email.c-a-m.com/ uInternet Settings,ProxyOverride = <local> Trusted Zone: c-a-m.com Trusted Zone: camclysm01 Trusted Zone: coopcam.com\camclysm01.ccc Trusted Zone: liveperson.net Trusted Zone: c-a-m.com Trusted Zone: camclysm01 Trusted Zone: cctrainer.com Trusted Zone: coopcam.com\camclysm01.ccc Trusted Zone: coopcam.com\ccceqis01.ccc Trusted Zone: liveperson.net DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} - hxxp://192.168.1.105/XNC600NetCam.cab DPF: {0CE39AB9-27D9-4D58-9DC1-99405AFB86F4} - hxxp://camccp.c-a-m.com/mypcinfo/bin/WMIRegistryDLL.CAB DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} - hxxps://www106.livemeeting.com/etc/static/FOXrapid1/2008-03-11-00-32-28/MailObjects.cab DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase81/OrgPubX.cab DPF: {EF55A67E-D9E4-4151-B026-1BE1B535ABFD} - hxxp://software.ccc.coopcam.com/ESD/ESDComputerName.CAB . - - - - ORPHANS REMOVED - - - - Notify-__c00790A4 - c:\windows\system32\__c00790A4.dat ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-18 13:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\drivers\vcbuecxylps.sys 77440 bytes executable c:\windows\system32\drivers\alpnmvnlpiy.sys 77440 bytes executable scan completed successfully hidden files: 2 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qyelvenj] "ImagePath"="\??\c:\windows\system32\drivers\alpnmvnlpiy.sys" -- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uaknhi] "ImagePath"="\??\c:\windows\system32\drivers\vcbuecxylps.sys" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(1348) c:\program files\Bonjour\mdnsNSP.dll - - - - - - - > 'explorer.exe'(7036) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\windows\system32\DLAAPI_W.DLL c:\windows\system32\CDRTC.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\BCMWLTRY.EXE c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\Fiberlink\Extend360\ServiceMgr.exe c:\windows\system32\stacsv.exe c:\windows\system32\CCM\CcmExec.exe c:\program files\Apoint\ApMsgFwd.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\windows\system32\igfxsrvc.exe c:\program files\TechSmith\SnagIt 8\TscHelp.exe c:\program files\TechSmith\SnagIt 8\SnagPriv.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-09-18 13:22 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-18 18:22 Pre-Run: 50,012,667,904 bytes free Post-Run: 50,368,094,208 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 267 2nd File: ComboFix 09-09-17.04 - Administrator 09/18/2009 12:50.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1529 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: Microsoft Forefront Client Security *On-access scanning disabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\lopezaj\protect.dll c:\documents and settings\lopezaj\Start Menu\Programs\Startup\ChkDisk.dll c:\documents and settings\lopezaj\Start Menu\Programs\Startup\ChkDisk.lnk c:\program files\Shared c:\program files\Shared\lib.sig c:\recycler\S-1-5-21-1409082233-839522115-70264643-500 c:\recycler\S-1-5-21-174175183-3804504684-3839665979-500 c:\recycler\S-1-5-21-2480539269-3580507064-3469805443-500 c:\windows\Installer\104cc1.msi c:\windows\Installer\4bed58f.msp c:\windows\system32\6to4v32.dll c:\windows\system32\autochk.dll c:\windows\system32\certstore.dat c:\windows\system32\drivers\gasfkyxumrppwh.sys c:\windows\system32\gasfkybirfqilt.dll c:\windows\system32\gasfkycopcycbv.dll c:\windows\system32\gasfkydjomqppx.dat c:\windows\system32\gasfkylespwcme.dat c:\windows\system32\gasfkynssrpuwc.dll c:\windows\system32\mndisk.sys C:\xcrashdump.dat c:\windows\system32\drivers\str.sys . . . . failed to delete ----- BITS: Possible infected sites ----- hxxp://JFKSM01.ccc.coopcam.com:80 hxxp://atlsm01.ccc.coopcam.com:80 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_gasfkyflxbeyxy -------\Legacy_gasfkyflxbeyxy -------\Legacy_6TO4 -------\Legacy_MNDISK -------\Service_6to4 -------\Service_mndisk ((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 ))))))))))))))))))))))))))))))) . 2009-09-18 18:00 . 2009-09-18 18:00 213024 ------w- c:\windows\system32\drivers\str.sys 2009-09-18 16:53 . 2009-09-18 16:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TechSmith 2009-09-15 21:17 . 2009-09-15 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\GroupPolicy 2009-09-09 13:01 . 2009-09-09 13:42 -------- d-----w- c:\documents and settings\lopezaj\Application Data\webex . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-18 16:50 . 2007-07-30 18:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Passlogix 2009-09-18 13:54 . 2007-12-13 14:23 -------- d-----w- c:\documents and settings\lopezaj\Application Data\Passlogix 2009-09-10 17:44 . 2007-07-27 13:05 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-07-22 14:23 . 2007-07-30 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll 2006-12-29 21:15 . 2007-07-30 16:36 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll 2006-12-29 21:15 . 2007-07-30 16:36 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll 2006-12-29 21:15 . 2007-07-30 16:36 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll 2006-12-29 21:15 . 2007-07-30 16:36 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx 2006-12-07 16:26 . 2007-07-30 16:36 1129984 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt 2006-12-07 16:26 . 2007-07-30 16:36 1124864 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-07-30 180269] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008] "Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5160288] "Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2008-07-09 1036848] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] c:\documents and settings\lopezaj\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464] VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2007-12-13 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1682526488-725345543-2036\Scripts\Logon\0\0] "Script"=sapscriptset.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1682526488-725345543-2036\Scripts\Logon\1\0] "Script"=camsplash.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1682526488-725345543-29483\Scripts\Logon\0\0] "Script"=sapscriptset.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1682526488-725345543-29483\Scripts\Logon\1\0] "Script"=camsplash.vbs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [7/30/2007 1:57 PM 251578] R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/10/2006 6:27 PM 48140] R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [12/10/2006 6:27 PM 204800] R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [12/10/2006 6:27 PM 17664] R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [7/9/2008 6:05 PM 18704] R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [4/6/2007 5:12 AM 73120] R2 FiberlinkMonitor;Fiberlink Monitor Service;c:\program files\Fiberlink\Extend360\WENGINE\wmonitor.exe [7/11/2005 10:58 AM 65604] R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 12:14 PM 134656] R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 4:16 PM 17536] R3 EuMusDesignVirtualAudioCableWdm;PC2TV Audio;c:\windows\system32\drivers\PC2TVAudio.sys [4/4/2007 8:24 PM 38528] R3 PC2TV;PC2TV_Display_Driver;c:\windows\system32\drivers\PC2TV.sys [4/12/2007 1:52 PM 25344] R3 PC2TVMirror;PC2TVMirror_Display_Driver;c:\windows\system32\drivers\PC2TVMirror.sys [4/12/2007 1:48 PM 25344] S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?] S2 InFocus Mirror Driver Service;InFocus Mirror Driver Service;c:\program files\InFocus\LiteShow II\TLA\ifclsmrsvc.exe [2/6/2009 10:02 AM 53248] . Contents of the 'Scheduled Tasks' folder 2009-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2009-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1682526488-725345543-2036Core.job - c:\documents and settings\lopezaj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-05 17:57] 2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1682526488-725345543-2036UA.job - c:\documents and settings\lopezaj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-05 17:57] 2009-09-18 c:\windows\Tasks\MP Scheduled Quick Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 23:05] 2009-09-18 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 23:05] 2009-09-18 c:\windows\Tasks\MP Scheduled Signature Update.job - c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2008-07-09 23:05] . . ------- Supplementary Scan ------- . uStart Page = https://intranet.c-a-m.com uInternet Connection Wizard,ShellNext = hxxp://email.c-a-m.com/ uInternet Settings,ProxyOverride = <local> Trusted Zone: c-a-m.com Trusted Zone: camclysm01 Trusted Zone: coopcam.com\camclysm01.ccc Trusted Zone: liveperson.net Trusted Zone: c-a-m.com Trusted Zone: camclysm01 Trusted Zone: cctrainer.com Trusted Zone: coopcam.com\camclysm01.ccc Trusted Zone: coopcam.com\ccceqis01.ccc Trusted Zone: liveperson.net DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} - hxxp://192.168.1.105/XNC600NetCam.cab DPF: {0CE39AB9-27D9-4D58-9DC1-99405AFB86F4} - hxxp://camccp.c-a-m.com/mypcinfo/bin/WMIRegistryDLL.CAB DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} - hxxps://www106.livemeeting.com/etc/static/FOXrapid1/2008-03-11-00-32-28/MailObjects.cab DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase81/OrgPubX.cab DPF: {EF55A67E-D9E4-4151-B026-1BE1B535ABFD} - hxxp://software.ccc.coopcam.com/ESD/ESDComputerName.CAB . - - - - ORPHANS REMOVED - - - - Notify-__c00790A4 - c:\windows\system32\__c00790A4.dat ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-18 13:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\drivers\vcbuecxylps.sys 77440 bytes executable c:\windows\system32\drivers\alpnmvnlpiy.sys 77440 bytes executable scan completed successfully hidden files: 2 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qyelvenj] "ImagePath"="\??\c:\windows\system32\drivers\alpnmvnlpiy.sys" -- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uaknhi] "ImagePath"="\??\c:\windows\system32\drivers\vcbuecxylps.sys" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(1348) c:\program files\Bonjour\mdnsNSP.dll - - - - - - - > 'explorer.exe'(7036) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\windows\system32\DLAAPI_W.DLL c:\windows\system32\CDRTC.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\BCMWLTRY.EXE c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\Fiberlink\Extend360\ServiceMgr.exe c:\windows\system32\stacsv.exe c:\windows\system32\CCM\CcmExec.exe c:\program files\Apoint\ApMsgFwd.exe c:\program files\Apoint\hidfind.exe c:\program files\Apoint\ApntEx.exe c:\windows\system32\igfxsrvc.exe c:\program files\TechSmith\SnagIt 8\TscHelp.exe c:\program files\TechSmith\SnagIt 8\SnagPriv.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-09-18 13:22 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-18 18:22 Pre-Run: 50,012,667,904 bytes free Post-Run: 50,368,094,208 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 267 |
|
     
|
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
| Thread Tools | |
|
|
