Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ComboFix 11-07-02.02 - Administrator 07/03/2011 9:04.2.1 - x86
- Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.594 [GMT 1:00]
- Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
- .
- .
- ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
- .
- .
- c:\documents and settings\Administrator\Application Data\1.tmp
- c:\documents and settings\Administrator\Application Data\17.tmp
- c:\documents and settings\Administrator\Application Data\18.tmp
- c:\documents and settings\Administrator\Application Data\2.tmp
- c:\documents and settings\Administrator\Application Data\3.tmp
- c:\documents and settings\Administrator\Application Data\4.tmp
- c:\documents and settings\Administrator\Application Data\5.tmp
- c:\documents and settings\Administrator\Application Data\6.tmp
- c:\documents and settings\Administrator\Application Data\8.tmp
- c:\documents and settings\Administrator\Application Data\B9.tmp
- c:\documents and settings\Administrator\Application Data\BA.tmp
- c:\documents and settings\Administrator\Application Data\Dbnonr.exe
- c:\documents and settings\Administrator\Application Data\lsass.exe
- c:\documents and settings\Administrator\Application Data\PriceGong
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
- c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
- c:\documents and settings\Administrator\ddfwv.exe
- c:\documents and settings\Administrator\WINDOWS
- c:\recycler\R-1-5-21-1482476501-1644491937-682003330-1013\acleaner.exe
- c:\windows\aadrive32.exe
- c:\windows\system32\42.exe
- c:\windows\system32\55.exe
- c:\windows\system32\63.exe
- c:\windows\system32\81.exe
- .
- c:\windows\system32\kernel32.dll . . . is infected!!
- .
- .
- ((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
- .
- .
- 2011-07-03 08:12 . 2011-07-03 08:12 -------- d-----w- c:\windows\system32\wbem\snmp
- 2011-07-03 08:11 . 2011-07-03 08:11 -------- d-----w- c:\windows\system32\xircom
- 2011-07-03 08:11 . 2011-07-03 08:11 -------- d-----w- c:\program files\microsoft frontpage
- 2011-07-03 08:02 . 2011-07-03 08:02 46615 ------w- c:\windows\system32\crssc.exe
- 2011-07-02 13:04 . 2011-07-02 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
- 2011-07-02 12:36 . 2011-07-02 13:58 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
- 2011-07-01 20:41 . 2011-07-01 20:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
- 2011-06-29 13:03 . 2011-06-29 13:03 -------- d-----w- c:\windows\Sun
- 2011-06-28 12:37 . 2011-06-30 16:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\MCShield
- 2011-06-28 12:37 . 2011-06-28 12:37 -------- d-----w- c:\program files\MCShield
- 2011-06-27 19:11 . 2011-06-27 19:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\uTorrentBar
- 2011-06-27 18:55 . 2008-11-13 14:18 599552 ------w- c:\windows\system32\dllcache\crypt32.dll
- 2011-06-27 18:55 . 2008-11-13 14:18 177664 ------w- c:\windows\system32\dllcache\wintrust.dll
- 2011-06-27 18:53 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
- 2011-06-27 18:53 . 2009-09-04 16:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
- 2011-06-27 18:53 . 2007-04-04 17:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
- 2011-06-27 18:53 . 2011-06-27 18:53 -------- d-----w- c:\windows\Logs
- .
- .
- .
- (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- 2011-05-29 08:11 . 2002-05-26 18:51 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
- 2011-05-29 08:11 . 2002-05-26 18:51 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
- 2011-05-04 03:52 . 2002-06-10 14:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
- 2011-05-04 01:25 . 2002-06-10 14:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
- .
- .
- ------- Sigcheck -------
- Note: Unsigned files aren't necessarily malware.
- .
- [-] 2008-05-03 . A3886230C2B22BF4D3C452B90B1C45CB . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
- .
- ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- .
- *Note* empty entries & legit default entries are not shown
- REGEDIT4
- .
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "nltide_3"="advpack.dll" [2008-05-03 99840]
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
- "DisableCAD"= 1 (0x1)
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
- "MemCheckBoxInRunDlg"= 1 (0x1)
- "StartMenuFavorites"= 0 (0x0)
- "Start_ShowMyComputer"= 1 (0x1)
- "Start_ShowMyDocs"= 1 (0x1)
- "Start_ShowMyMusic"= 0 (0x0)
- "Start_ShowRun"= 1 (0x1)
- "Start_ShowSearch"= 0 (0x0)
- .
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
- "NoResolveTrack"= 1 (0x1)
- "NoSMConfigurePrograms"= 1 (0x1)
- "MemCheckBoxInRunDlg"= 1 (0x1)
- .
- [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
- "ForceClassicControlPanel"= 1 (0x1)
- "NoResolveTrack"= 1 (0x1)
- "NoSMConfigurePrograms"= 1 (0x1)
- "MemCheckBoxInRunDlg"= 1 (0x1)
- .
- [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STARTXP.BAT]
- path=c:\documents and settings\All Users\Start Menu\Programs\Startup\STARTXP.BAT
- backup=c:\windows\pss\STARTXP.BATCommon Startup
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
- 2010-11-10 11:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
- 2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
- 2002-05-26 17:06 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
- 2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCShield]
- 2011-03-26 14:36 262144 ----a-w- c:\program files\MCShield\MCShieldRTM.exe
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCShieldTray]
- 2010-11-04 17:46 73728 ----a-w- c:\program files\MCShield\MCShieldTray.exe
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
- 2008-03-21 00:36 1695232 ------w- c:\program files\Messenger\msmsgs.exe
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
- 2002-03-21 10:23 46592 ----a-w- c:\windows\SOUNDMAN.EXE
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
- 2011-04-08 11:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\security center]
- "AntiVirusOverride"=dword:00000001
- "FirewallOverride"=dword:00000001
- .
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
- "EnableFirewall"= 0 (0x0)
- .
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
- "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
- "%windir%\\system32\\sessmgr.exe"=
- "c:\\Program Files\\uTorrent\\uTorrent.exe"=
- "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
- "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
- "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
- "c:\\WINDOWS\\system32\\mmc.exe"=
- "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
- "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
- .
- R2 Netmanm;Network Connections to Monitor;c:\windows\system32\crssc.exe [7/3/2011 9:02 46615]
- S3 EverestDriver;FinalWire EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [6/10/2002 18:55 27800]
- S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/26/2002 19:51 39984]
- S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
- .
- Contents of the 'Scheduled Tasks' folder
- .
- 2011-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-220523388-515967899-500Core.job
- - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2002-05-26 17:06]
- .
- 2011-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-220523388-515967899-500UA.job
- - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2002-05-26 17:06]
- .
- .
- ------- Supplementary Scan -------
- .
- uStart Page = hxxp://start.facemoods.com/?a=ddrnw
- uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
- mStart Page = hxxp://www.google.com
- uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
- IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
- TCP: DhcpNameServer = 213.133.3.5 212.200.246.8
- .
- - - - - ORPHANS REMOVED - - - -
- .
- Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - (no file)
- HKCU-Run-Dbnonr - c:\documents and settings\Administrator\Application Data\Dbnonr.exe
- HKCU-Run-Local Security Authority Service - c:\documents and settings\Administrator\Application Data\lsass.exe
- MSConfigStartUp-Dbnonr - c:\documents and settings\Administrator\Application Data\Dbnonr.exe
- MSConfigStartUp-Microsoft Driver Setup - c:\windows\aadrive32.exe
- MSConfigStartUp-NetWorx - c:\program files\NetWorx\networx.exe
- MSConfigStartUp-Tnaww - c:\recycler\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe
- .
- .
- .
- **************************************************************************
- .
- catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
- Rootkit scan 2011-07-03 09:12
- Windows 5.1.2600 Service Pack 3 NTFS
- .
- scanning hidden processes ...
- .
- scanning hidden autostart entries ...
- .
- scanning hidden files ...
- .
- scan completed successfully
- hidden files: 0
- .
- **************************************************************************
- .
- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
- "ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
- .
- ------------------------ Other Running Processes ------------------------
- .
- c:\program files\Java\jre6\bin\jqs.exe
- c:\windows\system32\wscntfy.exe
- .
- **************************************************************************
- .
- Completion time: 2011-07-03 09:14:58 - machine was rebooted
- ComboFix-quarantined-files.txt 2011-07-03 08:14
- .
- Pre-Run: 14,607,036,416 bytes free
- Post-Run: 14,611,447,808 bytes free
- .
- - - End Of File - - 6AA2125011816AA96866D50E12485955
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement