API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 3rd, 2011
179
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.88 KB | None | 0 0
raw download clone embed print report
  1. ComboFix 11-07-02.02 - Administrator 07/03/2011 9:04.2.1 - x86
  2. Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.594 [GMT 1:00]
  3. Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
  4. .
  5. .
  6. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
  7. .
  8. .
  9. c:\documents and settings\Administrator\Application Data\1.tmp
  10. c:\documents and settings\Administrator\Application Data\17.tmp
  11. c:\documents and settings\Administrator\Application Data\18.tmp
  12. c:\documents and settings\Administrator\Application Data\2.tmp
  13. c:\documents and settings\Administrator\Application Data\3.tmp
  14. c:\documents and settings\Administrator\Application Data\4.tmp
  15. c:\documents and settings\Administrator\Application Data\5.tmp
  16. c:\documents and settings\Administrator\Application Data\6.tmp
  17. c:\documents and settings\Administrator\Application Data\8.tmp
  18. c:\documents and settings\Administrator\Application Data\B9.tmp
  19. c:\documents and settings\Administrator\Application Data\BA.tmp
  20. c:\documents and settings\Administrator\Application Data\Dbnonr.exe
  21. c:\documents and settings\Administrator\Application Data\lsass.exe
  22. c:\documents and settings\Administrator\Application Data\PriceGong
  23. c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
  24. c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
  25. c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
  26. c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
  27. c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
  28. c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
  29. c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
  30. c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
  31. c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
  32. c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
  33. c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
  34. c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
  35. c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
  36. c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
  37. c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
  38. c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
  39. c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
  40. c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
  41. c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
  42. c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
  43. c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
  44. c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
  45. c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
  46. c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
  47. c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
  48. c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
  49. c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
  50. c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
  51. c:\documents and settings\Administrator\ddfwv.exe
  52. c:\documents and settings\Administrator\WINDOWS
  53. c:\recycler\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe
  54. c:\windows\aadrive32.exe
  55. c:\windows\system32\42.exe
  56. c:\windows\system32\55.exe
  57. c:\windows\system32\63.exe
  58. c:\windows\system32\81.exe
  59. .
  60. c:\windows\system32\kernel32.dll . . . is infected!!
  61. .
  62. .
  63. ((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
  64. .
  65. .
  66. 2011-07-03 08:12 . 2011-07-03 08:12 -------- d-----w- c:\windows\system32\wbem\snmp
  67. 2011-07-03 08:11 . 2011-07-03 08:11 -------- d-----w- c:\windows\system32\xircom
  68. 2011-07-03 08:11 . 2011-07-03 08:11 -------- d-----w- c:\program files\microsoft frontpage
  69. 2011-07-03 08:02 . 2011-07-03 08:02 46615 ------w- c:\windows\system32\crssc.exe
  70. 2011-07-02 13:04 . 2011-07-02 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
  71. 2011-07-02 12:36 . 2011-07-02 13:58 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
  72. 2011-07-01 20:41 . 2011-07-01 20:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
  73. 2011-06-29 13:03 . 2011-06-29 13:03 -------- d-----w- c:\windows\Sun
  74. 2011-06-28 12:37 . 2011-06-30 16:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\MCShield
  75. 2011-06-28 12:37 . 2011-06-28 12:37 -------- d-----w- c:\program files\MCShield
  76. 2011-06-27 19:11 . 2011-06-27 19:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\uTorrentBar
  77. 2011-06-27 18:55 . 2008-11-13 14:18 599552 ------w- c:\windows\system32\dllcache\crypt32.dll
  78. 2011-06-27 18:55 . 2008-11-13 14:18 177664 ------w- c:\windows\system32\dllcache\wintrust.dll
  79. 2011-06-27 18:53 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
  80. 2011-06-27 18:53 . 2009-09-04 16:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
  81. 2011-06-27 18:53 . 2007-04-04 17:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
  82. 2011-06-27 18:53 . 2011-06-27 18:53 -------- d-----w- c:\windows\Logs
  83. .
  84. .
  85. .
  86. (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
  87. .
  88. 2011-05-29 08:11 . 2002-05-26 18:51 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
  89. 2011-05-29 08:11 . 2002-05-26 18:51 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
  90. 2011-05-04 03:52 . 2002-06-10 14:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
  91. 2011-05-04 01:25 . 2002-06-10 14:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
  92. .
  93. .
  94. ------- Sigcheck -------
  95. Note: Unsigned files aren't necessarily malware.
  96. .
  97. [-] 2008-05-03 . A3886230C2B22BF4D3C452B90B1C45CB . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
  98. .
  99. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  100. .
  101. .
  102. *Note* empty entries & legit default entries are not shown
  103. REGEDIT4
  104. .
  105. [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
  106. "nltide_3"="advpack.dll" [2008-05-03 99840]
  107. .
  108. [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
  109. "DisableCAD"= 1 (0x1)
  110. .
  111. [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
  112. "MemCheckBoxInRunDlg"= 1 (0x1)
  113. "StartMenuFavorites"= 0 (0x0)
  114. "Start_ShowMyComputer"= 1 (0x1)
  115. "Start_ShowMyDocs"= 1 (0x1)
  116. "Start_ShowMyMusic"= 0 (0x0)
  117. "Start_ShowRun"= 1 (0x1)
  118. "Start_ShowSearch"= 0 (0x0)
  119. .
  120. [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
  121. "NoResolveTrack"= 1 (0x1)
  122. "NoSMConfigurePrograms"= 1 (0x1)
  123. "MemCheckBoxInRunDlg"= 1 (0x1)
  124. .
  125. [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
  126. "ForceClassicControlPanel"= 1 (0x1)
  127. "NoResolveTrack"= 1 (0x1)
  128. "NoSMConfigurePrograms"= 1 (0x1)
  129. "MemCheckBoxInRunDlg"= 1 (0x1)
  130. .
  131. [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STARTXP.BAT]
  132. path=c:\documents and settings\All Users\Start Menu\Programs\Startup\STARTXP.BAT
  133. backup=c:\windows\pss\STARTXP.BATCommon Startup
  134. .
  135. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
  136. 2010-11-10 11:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  137. .
  138. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
  139. 2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
  140. .
  141. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
  142. 2002-05-26 17:06 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
  143. .
  144. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
  145. 2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
  146. .
  147. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCShield]
  148. 2011-03-26 14:36 262144 ----a-w- c:\program files\MCShield\MCShieldRTM.exe
  149. .
  150. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCShieldTray]
  151. 2010-11-04 17:46 73728 ----a-w- c:\program files\MCShield\MCShieldTray.exe
  152. .
  153. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
  154. 2008-03-21 00:36 1695232 ------w- c:\program files\Messenger\msmsgs.exe
  155. .
  156. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
  157. 2002-03-21 10:23 46592 ----a-w- c:\windows\SOUNDMAN.EXE
  158. .
  159. [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
  160. 2011-04-08 11:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
  161. .
  162. [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  163. "AntiVirusOverride"=dword:00000001
  164. "FirewallOverride"=dword:00000001
  165. .
  166. [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
  167. "EnableFirewall"= 0 (0x0)
  168. .
  169. [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  170. "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
  171. "%windir%\\system32\\sessmgr.exe"=
  172. "c:\\Program Files\\uTorrent\\uTorrent.exe"=
  173. "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
  174. "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
  175. "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
  176. "c:\\WINDOWS\\system32\\mmc.exe"=
  177. "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
  178. "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
  179. .
  180. R2 Netmanm;Network Connections to Monitor;c:\windows\system32\crssc.exe [7/3/2011 9:02 46615]
  181. S3 EverestDriver;FinalWire EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [6/10/2002 18:55 27800]
  182. S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/26/2002 19:51 39984]
  183. S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
  184. .
  185. Contents of the 'Scheduled Tasks' folder
  186. .
  187. 2011-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-220523388-515967899-500Core.job
  188. - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2002-05-26 17:06]
  189. .
  190. 2011-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-220523388-515967899-500UA.job
  191. - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2002-05-26 17:06]
  192. .
  193. .
  194. ------- Supplementary Scan -------
  195. .
  196. uStart Page = hxxp://start.facemoods.com/?a=ddrnw
  197. uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
  198. mStart Page = hxxp://www.google.com
  199. uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
  200. IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
  201. TCP: DhcpNameServer = 213.133.3.5 212.200.246.8
  202. .
  203. - - - - ORPHANS REMOVED - - - -
  204. .
  205. Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - (no file)
  206. HKCU-Run-Dbnonr - c:\documents and settings\Administrator\Application Data\Dbnonr.exe
  207. HKCU-Run-Local Security Authority Service - c:\documents and settings\Administrator\Application Data\lsass.exe
  208. MSConfigStartUp-Dbnonr - c:\documents and settings\Administrator\Application Data\Dbnonr.exe
  209. MSConfigStartUp-Microsoft Driver Setup - c:\windows\aadrive32.exe
  210. MSConfigStartUp-NetWorx - c:\program files\NetWorx\networx.exe
  211. MSConfigStartUp-Tnaww - c:\recycler\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe
  212. .
  213. .
  214. .
  215. **************************************************************************
  216. .
  217. catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  218. Rootkit scan 2011-07-03 09:12
  219. Windows 5.1.2600 Service Pack 3 NTFS
  220. .
  221. scanning hidden processes ...
  222. .
  223. scanning hidden autostart entries ...
  224. .
  225. scanning hidden files ...
  226. .
  227. scan completed successfully
  228. hidden files: 0
  229. .
  230. **************************************************************************
  231. .
  232. [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
  233. "ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
  234. .
  235. ------------------------ Other Running Processes ------------------------
  236. .
  237. c:\program files\Java\jre6\bin\jqs.exe
  238. c:\windows\system32\wscntfy.exe
  239. .
  240. **************************************************************************
  241. .
  242. Completion time: 2011-07-03 09:14:58 - machine was rebooted
  243. ComboFix-quarantined-files.txt 2011-07-03 08:14
  244. .
  245. Pre-Run: 14,607,036,416 bytes free
  246. Post-Run: 14,611,447,808 bytes free
  247. .
  248. - - End Of File - - 6AA2125011816AA96866D50E12485955
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!