Thread: [Active] Persistent Win32:Rootkit-gen (Rtk)
View Single Post
  #7 (permalink)  
Old 28-06-2009, 06:07 PM
bir_25 bir_25 is offline
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 19
bir_25 Is a beginner here at D-A-L
Re: [Active] Persistent Win32:Rootkit-gen (Rtk)
Combofix log
-------------------------------------------------------------------------------------------------------

ComboFix 09-06-26.02 - Administrator 06/28/2009 22:17.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126.14 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Favorites\.url
C:\klttd323.dll
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\clofghls.dll
c:\windows\system32\_id.dat
c:\windows\system32\config\system~1\applic~1\insta ll.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\uhmw.sys
c:\windows\system32\icsxmlo.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_fips32cup
-------\Legacy_i386si
-------\Legacy_KSI32SK
-------\Legacy_NETSIK
-------\Legacy_NPF
-------\Legacy_RPCSSWMIAPSRV
-------\Legacy_TCPSR
-------\Legacy_WS2_32SIK
-------\Service_npf
-------\Service_RpcSsWmiApSrv


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-28 16:30 . 2009-06-28 16:30 -------- d-sh--w- C:\FOUND.060
2009-06-27 13:57 . 2009-06-27 13:57 -------- d-sh--w- C:\FOUND.059
2009-06-27 09:13 . 2009-06-27 09:13 3631375 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-26 16:33 . 2009-06-26 16:33 -------- d--h--w- c:\windows\$hf_mig$
2009-06-25 16:16 . 2009-06-25 16:16 -------- d-sh--w- C:\FOUND.058
2009-06-17 14:41 . 2009-06-17 14:41 -------- d-sh--w- C:\FOUND.057
2009-06-12 18:09 . 2009-06-12 18:09 -------- d-sh--w- C:\FOUND.056
2009-06-10 16:08 . 2009-06-10 16:08 -------- d-sh--w- C:\FOUND.055
2009-06-08 14:41 . 2009-06-08 14:41 -------- d-----w- c:\program files\Mario Forever Toolbar
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\program files\Winamp
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-06-04 10:33 . 2009-06-04 10:33 -------- d-sh--w- C:\FOUND.054
2009-06-02 16:06 . 2009-06-02 16:06 -------- d-sh--w- C:\FOUND.053
2009-06-02 15:42 . 2009-06-02 15:42 -------- d-sh--w- C:\FOUND.052
2009-06-01 15:57 . 2009-06-01 15:57 -------- d-sh--w- C:\FOUND.051
2009-05-31 17:36 . 2007-02-25 10:06 383238 ----a-w- c:\windows\system32\libmp3lame-0.dll
2009-05-31 17:36 . 2006-11-01 09:22 765952 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-31 17:36 . 2007-02-28 22:48 4762112 ----a-w- c:\windows\system32\NCMedia.dll
2009-05-30 14:57 . 2009-05-30 14:57 -------- d-sh--w- C:\FOUND.050
2009-05-30 14:20 . 2009-05-30 14:20 -------- d-sh--w- C:\FOUND.049
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\98348586
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\18338594

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-28 07:50 . 2008-01-09 15:32 499712 ----a-w- c:\windows\system32\igfxtray.exe
2009-06-25 05:55 . 2008-05-16 10:32 60 ----a-w- c:\windows\wpd99.drv
2009-06-17 05:57 . 2009-05-27 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:57 . 2009-05-27 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-04 16:35 . 2009-05-24 14:22 100 --s-a-w- c:\windows\system32\4041241291.dat
2009-05-30 14:58 . 2009-05-28 06:44 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-05-29 03:19 . 2009-05-28 06:44 2 --sha-r- c:\windows\winstart.bat
2009-05-28 06:42 . 2009-05-28 06:42 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-05-28 06:42 . 2009-05-28 06:42 32480 ----a-w- c:\windows\system32\Partizan.exe
2009-05-28 06:41 . 2009-05-28 06:41 -------- d-----w- c:\program files\Greatis
2009-05-27 19:07 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-27 18:21 . 2009-05-27 18:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 18:06 . 2009-05-25 18:06 -------- d-----w- c:\program files\Trend Micro
2009-05-18 16:58 . 2008-01-09 15:40 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 14:36 . 2009-05-12 14:36 -------- d-----w- c:\program files\PublicSoft
2009-05-12 08:43 . 2009-05-12 08:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fast Torrent
2009-05-08 08:49 . 2009-05-08 08:49 -------- d-----w- c:\program files\WinDjView
2009-05-07 15:46 . 2009-05-07 15:45 162816 ----a-w- c:\windows\system32\fmod.dll
2009-05-07 15:20 . 2009-05-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-07 15:11 . 2009-05-07 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
.

------- Sigcheck -------

[-] 2004-08-03 12:14 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\system32\drivers\tcpip.sys
[-] 2004-08-03 12:14 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-28 499712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-09-08 114688]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-04-24 132608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Winkq62.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"e:\\Program Files\\Rediff Bol\\RediffMessenger.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\hkcmd.exe"= c:\\WINDOWS\\system32\\hkcmd.exe
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\3quuvdu7.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThise.exe"=
"e:\\Program Files\\Mario Forever\\Mario Forever.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2008 5:17 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [4/2/2008 5:17 PM 20560]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ lhllpn.sys --> c:\windows\system32\drivers\lhllpn.sys [?]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [1/9/2008 9:10 PM 18004]
S0 dfzIw;dfzIw;c:\windows\system32\drivers\chlixoxc.s ys --> c:\windows\system32\drivers\chlixoxc.sys [?]
S0 kxzkm;kxzkm;c:\windows\system32\drivers\wwzbgb.sys --> c:\windows\system32\drivers\wwzbgb.sys [?]
S0 Winkq62;Winkq62;c:\windows\system32\Drivers\Winkq6 2.sys --> c:\windows\system32\Drivers\Winkq62.sys [?]
S0 Yla19;Yla19; [x]
S1 d1d76351;d1d76351;c:\windows\system32\drivers\d1d7 6351.sys --> c:\windows\system32\drivers\d1d76351.sys [?]
S1 e43d787d;e43d787d;c:\windows\system32\drivers\e43d 787d.sys --> c:\windows\system32\drivers\e43d787d.sys [?]
S2 AdobeHidServ;Adobe LM Service AdobeHidServ; srv --> srv [?]
S2 ALGlanmanserverWmi;Application Layer Gateway Service ALGlanmanserverWmi; srv --> srv [?]
S2 AudioSrvRemoteAccess;Windows Audio AudioSrvRemoteAccess; srv --> srv [?]
S2 AudioSrvScheduleThemesose;Windows Audio AudioSrvScheduleThemesose; srv --> srv [?]
S2 AudioSrvUPSWZCSVC;Windows Audio AudioSrvUPSWZCSVC; srv --> srv [?]
S2 avast!lanmanserverWmiNetDDE;avast! Web Scanner avast!lanmanserverWmiNetDDE; srv --> srv [?]
S2 dmadminSCardSvr;Logical Disk Manager Administrative Service dmadminSCardSvr; srv --> srv [?]
S2 dmserverBITS;Logical Disk Manager dmserverBITS; srv --> srv [?]
S2 ERSvcNtLmSsp;Error Reporting Service ERSvcNtLmSsp; srv --> srv [?]
S2 ERSvcRemoteRegistryAdobeHidServ;Error Reporting Service ERSvcRemoteRegistryAdobeHidServ; srv --> srv [?]
S2 EventlogDhcp;Event Log EventlogDhcp; srv --> srv [?]
S2 EventSystemWZCSVC;COM+ Event System EventSystemWZCSVC; srv --> srv [?]
S2 lanmanserverWmi;Server lanmanserverWmi; srv --> srv [?]
S2 lanmanserverWmiNetDDE;Server lanmanserverWmi lanmanserverWmiNetDDE; srv --> srv [?]
S2 LmHostsAudioSrvRemoteAccess;TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess; srv --> srv [?]
S2 LmHostsMSIServerRemoteRegistry;TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry; srv --> srv [?]
S2 MSIServerRemoteRegistry;Windows Installer MSIServerRemoteRegistry; srv --> srv [?]
S2 MSIServerRemoteRegistryRemoteAccess;Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess; srv --> srv [?]
S2 NetDDEAppMgmt;Network DDE NetDDEAppMgmt; srv --> srv [?]
S2 NetDDEdsdmFastUserSwitchingCompatibility;Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility; srv --> srv [?]
S2 NetlogonNetDDEdsdm;Net Logon NetlogonNetDDEdsdm; srv --> srv [?]
S2 NetlogonW32Time;Net Logon NetlogonW32Time; srv --> srv [?]
S2 PlugPlayThemes;Plug and Play PlugPlayThemes; srv --> srv [?]
S2 RemoteRegistryAdobeHidServ;Remote Registry RemoteRegistryAdobeHidServ; srv --> srv [?]
S2 RemoteRegistryMSIServer;Remote Registry RemoteRegistryMSIServer; srv --> srv [?]
S2 RpcSsxmlprov;Remote Procedure Call (RPC) RpcSsxmlprov; srv --> srv [?]
S2 RSVPTermService;QoS RSVP RSVPTermService; srv --> srv [?]
S2 RSVPUPSWZCSVC;QoS RSVP RSVPUPSWZCSVC; srv --> srv [?]
S2 ScheduleThemes;Schedule ScheduleThemes; srv --> srv [?]
S2 ScheduleThemesose;Schedule ScheduleThemes ScheduleThemesose; srv --> srv [?]
S2 SpoolerNetlogonNetDDEdsdm;Print Spooler SpoolerNetlogonNetDDEdsdm; srv --> srv [?]
S2 TapiSrvLmHosts;Telephony TapiSrvLmHosts; srv --> srv [?]
S2 TermServiceUMWdf;Terminal Services TermServiceUMWdf; srv --> srv [?]
S2 UPSThemes;Uninterruptible Power Supply UPSThemes; srv --> srv [?]
S2 UPSWZCSVC;Uninterruptible Power Supply UPSWZCSVC; srv --> srv [?]
S2 UPSWZCSVCWmiApSrvEventlogDhcp;Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp; srv --> srv [?]
S2 W32TimeHTTPFilter;Windows Time W32TimeHTTPFilter; srv --> srv [?]
S2 WmiApSrvEventlogDhcp;WMI Performance Adapter WmiApSrvEventlogDhcp; srv --> srv [?]
S2 WZCSVCMSIServer;Wireless Zero Configuration WZCSVCMSIServer; srv --> srv [?]
S3 muxrxroeg;MUXRXROEG;c:\docume~1\ADMINI~1\LOCALS~1\ Temp\MUXRXROEG.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe [?]
S3 partizan;Partizan;c:\windows\system32\drivers\Part izan.sys [5/28/2009 12:12 PM 34760]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [3/30/2009 2:47 PM 48896]
S3 regguard;RegGuard;c:\windows\system32\drivers\regg uard.sys [5/28/2009 12:14 PM 29584]
S4 fjl;fjl;c:\docume~1\ADMINI~1\LOCALS~1\Temp\FJL.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\FJL.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 16:14]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)
Notify-!saswinlogon - c:\program files\SUPERAntiSpyware\SASWINLO.dll
SafeBoot-Gmr30.sys
SafeBoot-Winag17.sys
SafeBoot-Winag28.sys
SafeBoot-Winag40.sys
SafeBoot-Winag51.sys
SafeBoot-Winag62.sys
SafeBoot-Winag84.sys
SafeBoot-Winci05.sys
SafeBoot-Winci84.sys
SafeBoot-Windj30.sys
SafeBoot-Windj51.sys
SafeBoot-Winek17.sys
SafeBoot-Winfl27.sys
SafeBoot-Winfl38.sys
SafeBoot-Winfl40.sys
SafeBoot-Winfl74.sys
SafeBoot-Wingm17.sys
SafeBoot-Wingm38.sys
SafeBoot-Wingm84.sys
SafeBoot-Winhn73.sys
SafeBoot-Winhn84.sys
SafeBoot-Winio84.sys
SafeBoot-Winkq06.sys
SafeBoot-Winkq17.sys
SafeBoot-Winms05.sys
SafeBoot-Winms16.sys
SafeBoot-Winms27.sys
SafeBoot-Winms28.sys
SafeBoot-Winnt38.sys
SafeBoot-Winnt51.sys
SafeBoot-Winou40.sys
SafeBoot-Winou51.sys
SafeBoot-Winou74.sys
SafeBoot-Winpv73.sys
SafeBoot-Winpw51.sys
SafeBoot-Winqw16.sys
SafeBoot-Winqw62.sys
SafeBoot-Winrx07.sys
SafeBoot-Winrx16.sys
SafeBoot-Winrx17.sys
SafeBoot-Winrx74.sys
SafeBoot-Winsy06.sys
SafeBoot-Winsy16.sys
SafeBoot-Winsy17.sys
SafeBoot-Winsy27.sys
SafeBoot-Winsy38.sys
SafeBoot-Winsy51.sys
SafeBoot-Winsy73.sys
SafeBoot-Winta40.sys
SafeBoot-Winta84.sys
SafeBoot-Winta85.sys
SafeBoot-Wintb17.sys
SafeBoot-Winub73.sys
SafeBoot-Winvc27.sys
SafeBoot-Winvc38.sys
SafeBoot-Winvc63.sys
SafeBoot-Winwd06.sys
SafeBoot-Winwd51.sys
SafeBoot-Winwd62.sys
SafeBoot-Winxe16.sys
SafeBoot-Winxe17.sys
SafeBoot-Winxe30.sys
SafeBoot-Winxe73.sys
SafeBoot-Winxf28.sys
SafeBoot-Winyf16.sys
SafeBoot-Winyf38.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orissalinks.com/archive
IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
TCP: {DD82BFDE-F7A3-44E7-9B0D-81EEA9F6F16D} = 218.248.255.162 218.248.255.194
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyi0rjd6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Ehu&q=displacement+current+filety pe%3Aswf&btnG=Search&meta=
FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-28 22:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 8192 bytes

scan completed successfully
hidden files: 1

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A dobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A LGlanmanserverWmi]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvScheduleThemesose]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\A udioSrvUPSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\a vast!lanmanserverWmiNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d madminSCardSvr]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\d mserverBITS]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E RSvcNtLmSsp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E RSvcRemoteRegistryAdobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E ventSystemWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\l anmanserverWmi]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\l anmanserverWmiNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\L mHostsAudioSrvRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\L mHostsMSIServerRemoteRegistry]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M SIServerRemoteRegistry]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M SIServerRemoteRegistryRemoteAccess]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etDDEAppMgmt]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etDDEdsdmFastUserSwitchingCompatibility]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etlogonNetDDEdsdm]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N etlogonW32Time]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\P lugPlayThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R emoteRegistryAdobeHidServ]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R emoteRegistryMSIServer]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R pcSsxmlprov]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R SVPTermService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\R SVPUPSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S cheduleThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S cheduleThemesose]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\S poolerNetlogonNetDDEdsdm]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T apiSrvLmHosts]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\T ermServiceUMWdf]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSWZCSVC]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\U PSWZCSVCWmiApSrvEventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W 32TimeHTTPFilter]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W miApSrvEventlogDhcp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W ZCSVCMSIServer]
"ImagePath"=" srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3840)
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2009-06-28 22:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 17:00

Pre-Run: 3,130,220,544 bytes free
Post-Run: 3,617,447,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

403
------------------------------------------------------------------------------------------------------
HJT log after the combofix operation
-------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:59 PM, on 6/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Archive
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD82BFDE-F7A3-44E7-9B0D-81EEA9F6F16D}: NameServer = 218.248.255.162 218.248.255.194
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe LM Service AdobeHidServ (AdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Application Layer Gateway Service ALGlanmanserverWmi (ALGlanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio AudioSrvRemoteAccess (AudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvScheduleThemesose (AudioSrvScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Windows Audio AudioSrvUPSWZCSVC (AudioSrvUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! Web Scanner avast!lanmanserverWmiNetDDE (avast!lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - .exe (file missing)
O23 - Service: Logical Disk Manager dmserverBITS (dmserverBITS) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcNtLmSsp (ERSvcNtLmSsp) - Unknown owner - .exe (file missing)
O23 - Service: Error Reporting Service ERSvcRemoteRegistryAdobeHidServ (ERSvcRemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Event Log EventlogDhcp (EventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: COM+ Event System EventSystemWZCSVC (EventSystemWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Server lanmanserverWmi (lanmanserverWmi) - Unknown owner - .exe (file missing)
O23 - Service: Server lanmanserverWmi lanmanserverWmiNetDDE (lanmanserverWmiNetDDE) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsAudioSrvRemoteAccess (LmHostsAudioSrvRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper LmHostsMSIServerRemoteRegistry (LmHostsMSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry (MSIServerRemoteRegistry) - Unknown owner - .exe (file missing)
O23 - Service: Windows Installer MSIServerRemoteRegistry MSIServerRemoteRegistryRemoteAccess (MSIServerRemoteRegistryRemoteAccess) - Unknown owner - .exe (file missing)
O23 - Service: MUXRXROEG (muxrxroeg) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MUXRXROEG.exe (file missing)
O23 - Service: Network DDE NetDDEAppMgmt (NetDDEAppMgmt) - Unknown owner - .exe (file missing)
O23 - Service: Network DDE DSDM NetDDEdsdmFastUserSwitchingCompatibility (NetDDEdsdmFastUserSwitchingCompatibility) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonNetDDEdsdm (NetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Net Logon NetlogonW32Time (NetlogonW32Time) - Unknown owner - .exe (file missing)
O23 - Service: Plug and Play PlugPlayThemes (PlugPlayThemes) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryAdobeHidServ (RemoteRegistryAdobeHidServ) - Unknown owner - .exe (file missing)
O23 - Service: Remote Registry RemoteRegistryMSIServer (RemoteRegistryMSIServer) - Unknown owner - .exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsxmlprov (RpcSsxmlprov) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPTermService (RSVPTermService) - Unknown owner - .exe (file missing)
O23 - Service: QoS RSVP RSVPUPSWZCSVC (RSVPUPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes (ScheduleThemes) - Unknown owner - .exe (file missing)
O23 - Service: Schedule ScheduleThemes ScheduleThemesose (ScheduleThemesose) - Unknown owner - .exe (file missing)
O23 - Service: Print Spooler SpoolerNetlogonNetDDEdsdm (SpoolerNetlogonNetDDEdsdm) - Unknown owner - .exe (file missing)
O23 - Service: Telephony TapiSrvLmHosts (TapiSrvLmHosts) - Unknown owner - .exe (file missing)
O23 - Service: Terminal Services TermServiceUMWdf (TermServiceUMWdf) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSThemes (UPSThemes) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC (UPSWZCSVC) - Unknown owner - .exe (file missing)
O23 - Service: Uninterruptible Power Supply UPSWZCSVC UPSWZCSVCWmiApSrvEventlogDhcp (UPSWZCSVCWmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Windows Time W32TimeHTTPFilter (W32TimeHTTPFilter) - Unknown owner - .exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvEventlogDhcp (WmiApSrvEventlogDhcp) - Unknown owner - .exe (file missing)
O23 - Service: Wireless Zero Configuration WZCSVCMSIServer (WZCSVCMSIServer) - Unknown owner - .exe (file missing)

--
End of file - 8184 bytes
-------------------------------------------------------------------------------------------------------
Thank you
Reply With Quote