Thread: Computer creates random number.exe files
View Single Post
  #7 (permalink)  
Old 20-12-2008, 01:06 AM
CYMREIG CYMREIG is offline
Newbie
D-A-L Newbie
  
Join Date: Dec 2008
Posts: 9
CYMREIG Is a beginner here at D-A-L
Re: Computer creates random number.exe files
Here's my combofix log

ComboFix 08-12-18.03 - Twiggy ^^ 2008-12-19 23:55:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.483 [GMT 0:00]
Running from: c:\documents and settings\Twiggy ^^\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bbmnevcv.dll
c:\windows\system32\cdlkcrbk.ini
c:\windows\system32\dfgksqet.dll
c:\windows\system32\emgsufpx.ini
c:\windows\system32\fNTtutwa.ini
c:\windows\system32\gbkqiktk.dll
c:\windows\system32\gosekrwk.ini
c:\windows\system32\hanayqru.dll
c:\windows\system32\hfyeienp.dll
c:\windows\system32\hnphtbmp.ini
c:\windows\system32\JjQsBJjl.ini
c:\windows\system32\JjQsBJjl.ini2
c:\windows\system32\yblhjtse.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-18 10:42 . 2008-12-18 10:58 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\EVEMon
2008-12-18 10:41 . 2008-12-18 10:41 <DIR> d-------- c:\program files\EVEMon
2008-12-18 10:03 . 2008-12-18 10:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\CCP
2008-12-18 09:58 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-12-18 09:51 . 2008-12-18 09:51 <DIR> d-------- c:\program files\CCP
2008-12-17 01:08 . 2008-12-17 01:08 304,160 --a------ C:\StiImg.dat
2008-12-12 22:39 . 2008-12-12 22:39 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\Malwarebytes
2008-12-12 22:31 . 2008-12-12 22:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 22:31 . 2008-12-12 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 22:31 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 22:31 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 20:37 . 2008-12-11 20:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-06 20:22 . 2008-12-06 20:31 <DIR> d-------- c:\program files\PoxNora
2008-12-05 16:21 . 2008-12-05 17:37 <DIR> d-------- c:\program files\Granado Espada
2008-12-02 20:03 . 2008-12-03 17:09 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-02 20:03 . 2008-12-02 20:03 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\PC Tools
2008-12-02 20:03 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-02 20:03 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-02 20:03 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-02 20:03 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-01 19:46 . 2008-12-01 19:46 <DIR> d-------- c:\program files\Trend Micro
2008-12-01 19:09 . 2008-12-01 19:09 <DIR> d-------- c:\program files\CCleaner
2008-12-01 18:44 . 2008-12-01 18:44 16,244 --a------ c:\windows\system32\rrt_is.wav
2008-12-01 18:44 . 2008-12-01 18:44 7,302 --a------ c:\windows\system32\rrt_vf.wav
2008-12-01 18:44 . 2008-12-01 18:44 7,148 --a------ c:\windows\system32\rrt_tv.wav
2008-12-01 18:44 . 2008-12-01 18:44 6,282 --a------ c:\windows\system32\rrt_tn.wav
2008-12-01 18:30 . 2008-12-01 18:30 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-24 19:58 . 2008-11-27 04:20 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\LimeWire
2008-11-24 19:52 . 2008-11-24 19:55 <DIR> d-------- c:\program files\LimeWire
2008-11-24 18:12 . 2008-11-24 18:42 <DIR> d-------- c:\documents and settings\Twiggy ^^\Application Data\Download Manager
2008-11-22 04:35 . 2008-11-22 04:35 <DIR> d-------- c:\program files\Windows Journal Viewer
2008-11-22 02:53 . 2008-11-22 02:53 <DIR> d-------- c:\documents and settings\Twiggy ^^\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-19 23:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-19 23:41 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\Skype
2008-12-19 22:43 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\IMVU
2008-12-19 16:06 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\skypePM
2008-12-18 18:17 --------- d-----w c:\program files\FlashGet
2008-12-18 18:05 --------- d-----w c:\program files\Steam
2008-12-18 18:04 119,296 ----a-w c:\windows\system32\zlib.dll
2008-12-18 18:03 --------- d-----w c:\program files\Xfire
2008-12-18 18:00 109,620,256 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-16 18:52 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\uTorrent
2008-12-15 23:16 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\Xfire
2008-12-15 02:38 1,198,760 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-14 05:02 162,161 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_14_05_01_49_small.dmp.zip
2008-12-12 04:44 2,799,616 ----a-w c:\windows\Internet Logs\xDB10.tmp
2008-12-11 15:39 --------- d-----w c:\program files\PaintTool SAI English Pack
2008-12-11 00:27 166,706 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_11_00_26_08_small.dmp.zip
2008-12-11 00:26 2,742,272 ----a-w c:\windows\Internet Logs\xDB5D5.tmp
2008-12-07 22:35 1,038,848 ----a-w c:\windows\Internet Logs\xDBF.tmp
2008-12-07 17:25 2,816,000 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-12-03 02:03 3,226,624 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-12-02 19:43 3,150,336 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-12-02 19:43 2,782,720 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-02 19:23 2,809,856 ----a-w c:\windows\Internet Logs\xDBA.tmp
2008-12-02 18:45 4,427,064 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2008-11-29 13:20 52,882 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_11_29_13_19_09_small.dmp.zi p
2008-11-29 04:52 2,760,192 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-11-26 17:37 --------- d-----w c:\program files\Common Files\Adobe
2008-11-22 15:45 2,774,528 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-11-19 09:36 308,334 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_11_19_09_36_06_small.dmp.zip
2008-11-18 15:21 158,365 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_11_18_15_20_55_small.dmp.zip
2008-11-16 08:54 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-16 08:39 --------- d-----w c:\program files\Adobe Media Player
2008-11-16 08:37 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-16 08:30 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-11-15 21:26 --------- d-----w c:\program files\Cheat Engine
2008-11-14 15:42 --------- d-----w c:\program files\Gravity
2008-11-12 17:42 --------- d-----w c:\program files\RebirthRO
2008-11-11 19:32 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\IMVUClient
2008-11-11 14:41 --------- d-----w c:\program files\SevenfoldRO
2008-11-11 03:46 2,483,200 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-11-11 03:14 253,440 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-11-10 17:15 4,072,448 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-11-09 21:46 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-11-07 21:03 --------- d-----w c:\program files\VUGames
2008-11-04 22:13 --------- d-----w c:\program files\House of Tales
2008-11-03 21:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 20:54 --------- d-----w c:\program files\Activision
2008-10-31 00:01 --------- d-----w c:\program files\TRABULANCE
2008-10-27 22:56 --------- d-----w c:\program files\EA GAMES
2008-10-24 22:33 --------- d-----w c:\documents and settings\LocalService\Application Data\Xfire
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:21 --------- d-----w c:\program files\Call of Duty Game of the Year Edition
2008-10-22 23:16 --------- d-----w c:\documents and settings\Twiggy ^^\Application Data\SYSTEMAX Software Development
2008-10-22 23:16 --------- d-----w c:\documents and settings\All Users\Application Data\SYSTEMAX Software Development
2008-10-22 22:47 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-22 22:27 2,883,584 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-10-21 23:57 2,337,792 ----a-w c:\windows\Internet Logs\xDBBD.tmp
2008-10-21 23:24 2,773,504 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-10-21 18:14 4,640,768 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-10-21 18:14 2,329,600 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-10-09 14:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-09 14:25 1,221,008 ----a-w c:\windows\system32\zpeng25.dll
2008-10-01 15:23 151,442 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_01_16_23_12_small.dmp.zip
2008-09-30 21:20 206 ----a-w C:\rohan_temp_execute.bat
2008-09-30 21:20 0 ----a-w c:\documents and settings\Twiggy ^^\running.dat
2008-09-30 00:19 152,265 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_09_30_01_19_42_small.dmp.zip
2008-09-19 20:06 81,920 ------r c:\windows\bwUnin-6.1.4.36-8876480L.exe
2008-09-19 20:02 14,656 ----a-w c:\windows\gdrv.sys
2008-09-19 19:59 315,392 ----a-w c:\windows\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-16 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2006-10-31 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" [2008-08-14 611712]
"RRT-Auto"="c:\documents and settings\Twiggy ^^\Desktop\RRT\RRT.exe" [2008-09-07 140288]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 c:\windows\LOGI_MWX.EXE]
"atwtusb"="atwtusb.exe" [2005-03-09 c:\windows\system32\atwtusb.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Twiggy ^^\Start Menu\Programs\Startup\
IMVU.lnk - c:\documents and settings\Twiggy ^^\Application Data\IMVUClient\IMVUClient.exe [2008-12-04 49408]
Trillian.lnk - c:\documents and settings\Twiggy ^^\Desktop\Twiggy's ****\Trillian\trillian.exe [2008-10-01 1873280]
Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-12-11 2990416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-09-19 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\messenger (yahoo!)]
--a------ 2008-09-19 16:34 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pinnacle game profiler]
--a------ 2008-10-14 01:42 2473984 c:\program files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Save to disk\\Save to disk\\BearShare\\BearShare.exe"=
"c:\\Documents and Settings\\Twiggy ^^\\Desktop\\Twiggy's ****\\Trillian\\trillian.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"e:\\Program Files\\MC2\\Sniper Elite\\SniperElite.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\WINDOWS\\system32\\mcoinstall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager .exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\DRIVERS\pfc027.sys [2005-02-24 162176]
S1 13a898b5;13a898b5;c:\windows\system32\drivers\13a8 98b5.sys []
S1 2f55f63a;2f55f63a;c:\windows\system32\drivers\2f55 f63a.sys []
S1 aiptektp;HyperPen;c:\windows\system32\DRIVERS\aipt ektp.sys [2008-11-22 22272]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\TWIGGY~1\LOCALS~ 1\Temp\cel90xbe.sys []
S3 Revolution1;Revolution1;\??\c:\documents and settings\Twiggy ^^\Desktop\Twiggy's ****\Hacking and hexing\Revolution_Engine_8.3_By_ShaK3\SHAK3.sys [2008-09-22 20864]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-02 356920]
S3 xdva220;XDva220;\??\c:\windows\system32\XDva220.sy s []

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{1F9F7980-706A-4633-9C31-CCA2F9ACD183} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Twiggy ^^\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Twiggy ^^\Start Menu\Programs\IMVU\Run IMVU.lnk -
FF - ProfilePath - c:\documents and settings\Twiggy ^^\Application Data\Mozilla\Firefox\Profiles\70q6xskm.Defalt\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 23:57:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2008-12-19 23:59:11
ComboFix-quarantined-files.txt 2008-12-19 23:59:02

Pre-Run: 53,307,727,872 bytes free
Post-Run: 53,481,533,440 bytes free

243 --- E O F --- 2008-11-13 0342
Reply With Quote