Combo Fix

ComboFix 11-01-24.01 - Administrator 01/27/2011 15:58:45.1.
2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.874.66.1033.18.3191.2920 [GMT 7:00
]
Running from: c:\downloads\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {D1B14E8D-5FE4-4014-B6E
3-2B4B04BA0B76}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))
)))))))))))))))))))))))))))))
.
c:\windows\system32\Cache
c:\windows\system32\twunk_32.exe
.
((((((((((((((((((((((((( Files Created from 2010-12-27 to 2011-01-27 )))))))
))))))))))))))))))))))))
.
2011-01-27 08:03 . 2011-01-27 08:03 -------- d-----w- c:\docum
ents and settings\Administrator\Application Data\Ipswitch
2011-01-27 08:03 . 2006-06-19 06:01 69632 ----a-w- c:\windows\syste
m32\ztvcabinet.dll
m32\ztvunrar36.dll
m32\ztvunace26.dll
m32\UNRAR3.dll
m32\unacev2.dll
2011-01-27 08:03 . 2011-01-27 08:04 -------- d-----w- c:\progr
am files\Trojan Remover
2011-01-27 08:03 . 2011-01-27 08:03 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\Simply Super Software
2011-01-27 08:03 . 2011-01-27 08:03 -------- d-----w- c:\docum
ents and settings\Administrator\Application Data\Simply Super Software
2011-01-27 01:17 . 2006-02-28 12:00 9216 -c--a-w- c:\windows\syste
m32\dllcache\wamps51.dll
2011-01-27 01:14 . 2011-01-27 01:27 -------- d-----w- c:\windo
ws\system32\Logfiles
2011-01-27 01:14 . 2011-01-27 01:18 -------- d-----w- C:\Inetp
ub
2011-01-26 10:20 . 2011-01-26 10:20 -------- d-----w- c:\windo
ws\system32\E177E04D548C4006A465EEB92D3DE021
2011-01-26 10:20 . 2011-01-26 10:20 -------- d-----w- c:\docum
ents and settings\4409377\Application Data\Ipswitch
2011-01-26 10:20 . 2011-01-26 10:20 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\Ipswitch
m32\wbocx.ocx
m32\wbhelp2.dll
2011-01-26 10:20 . 2011-01-26 10:20 -------- d-----w- c:\progr
am files\Ipswitch
2011-01-26 10:19 . 2005-11-13 16:16 32768 ----a-w- c:\program files
\Common Files\InstallShield\Professional\RunTime\Objectps.dll
\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.e
xe
\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-01-25 09:56 . 2011-01-25 09:56 -------- d-----w- C:\vmwar
e
2011-01-25 09:52 . 2011-01-26 04:18 -------- d-----w- c:\docum
ents and settings\4409377\Application Data\VMware
2011-01-25 09:46 . 2009-10-21 17:13 59952 ----a-r- c:\windows\syste
m32\vnetinst.dll
m32\drivers\vmnetadapter.sys
m32\vmnetdhcp.exe
m32\vmnat.exe
m32\drivers\vmnetuserif.sys
m32\drivers\vmnet.sys
m32\vnetlib.dll
m32\drivers\VMkbd.sys
2011-01-25 09:45 . 2011-01-25 09:46 -------- d-----w- c:\docum
ents and settings\NetworkService\Application Data\VMware
2011-01-25 09:45 . 2011-01-25 09:45 -------- d-----w- c:\progr
am files\Common Files\VMware
2011-01-25 09:44 . 2011-01-27 08:48 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\VMware
2011-01-25 09:44 . 2011-01-25 09:44 -------- d-----w- c:\progr
am files\VMware
2011-01-24 01:36 . 2011-01-24 01:36 -------- d-----w- c:\progr
am files\R-Studio
2011-01-20 02:01 . 2011-01-20 02:01 -------- d-----w- c:\docum
ents and settings\All Users\Application Data\Hewlett-Packard
2011-01-07 05:26 . 2011-01-07 05:26 -------- d-----w- c:\windo
ws\Sun
2011-01-07 05:26 . 2011-01-07 05:26 -------- d-----w- c:\progr
am files\Common Files\Java
\Mozilla Firefox\plugins\npdeployJava1.dll
m32\javacpl.cpl
m32\deployJava1.dll
2011-01-07 05:25 . 2011-01-07 05:25 -------- d-----w- c:\progr
am files\Java
2011-01-04 08:24 . 2011-01-04 08:27 -------- d-----w- c:\progr
am files\VeryPDF PDF Editor v2.2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))
)))))))))))))))))))))))))))))))
.
2010-12-20 01:18 . 2010-12-20 01:18 86016 ------w- c:\windows\syste
m32\pxwma.dll
2010-12-20 01:18 . 2010-12-20 01:18 20368 ------w- c:\windows\syste
m32\drivers\PxHelp20.sys
2010-12-20 01:18 . 2010-12-20 01:18 105472 ------w- c:\windows\syste
m32\pxcpyi64.exe
2010-12-20 01:18 . 2010-12-20 01:18 103936 ------w- c:\windows\syste
m32\pxinsi64.exe
m32\MSCOMM32.oca
m32\FM20.oca
m32\mscomct2.oca
m32\COMDLG32.oca
m32\SPR32X30.oca
2010-12-13 08:34 . 2010-12-13 08:34 286720 ------w- c:\windows\Setup
1.exe
2010-12-13 08:34 . 2010-12-13 08:34 73216 ----a-w- c:\windows\ST6UN
ST.EXE
2010-11-19 04:01 . 2010-11-19 03:52 450 ----a-w- C:\IP2.bat
2010-11-19 03:49 . 2010-11-19 03:49 894 ----a-w- C:\IP.bat
m32\isign32.dll
2010-11-18 08:14 . 2010-11-18 08:07 341 ----a-w- C:\MetaChangeIP.
bat
2010-11-18 06:54 . 2010-11-18 06:54 832 ----a-w- C:\ChangeIP.bat
2010-11-18 01:17 . 2010-11-18 01:18 207872 ----a-w- C:\compname.exe
m32\odbc32.dll
m32\wininet.dll
2010-11-06 00:26 . 2006-02-28 12:00 43520 ------w- c:\windows\syste
m32\licmgr10.dll
2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- c:\windows\syste
m32\inetcpl.cpl
m32\html.iec
m32\drivers\ndproxy.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))
)))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455
168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-07-01 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-07-01 118784]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.ex
e" [2004-12-13 483328]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.
exe" [2009-09-07 849192]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe
" [2010-05-14 248552]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2009
-10-21 129584]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-30 121332
0]
c:\documents and settings\4409377\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE
[1997-7-15 189200]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760
-000000000002}\SC_Acrobat.exe [2010-10-27 25214]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.
exe [2010-11-25 1528880]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus
]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz
edApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Globally
OpenPorts\List]
"35885:TCP"= 35885:TCP:Trend Micro OfficeScan Listener
"18677:TCP"= 18677:TCP:BitComet 18677 TCP
"18677:UDP"= 18677:UDP:BitComet 18677 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
S2 NetSupport DNA Client;NetSupport DNA Client;c:\program files\NetSupport\NetSu
pport DNA\Client\DNAClient.exe [7/13/2009 6:53 PM 263688]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/5/2010 1:14 PM
51792]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\Tm
XPFlt.sys [6/10/2009 6:55 PM 249424]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Cli
ent\tmpreflt.sys [6/10/2009 6:54 PM 36432]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 5:00 AM 707
04]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\
VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\BIN\ONR
SD.EXE [10/19/2000 11:55 AM 411244]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Mic
rosoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 464
0000]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan C
lient\TmProxy.exe [7/15/2009 5:37 PM 689416]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\M
icrosoft SQL Server\100\Shared\sqladhlp.exe [3/31/2009 11:55 AM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009
3:09 AM 239336]
S4 SQLAgent$MSSMLBIZ;SQL Server Agent (MSSMLBIZ);c:\program files\Microsoft SQL
Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2011-01-27 c:\windows\Tasks\Internet Explorer.job
- c:\progra~1\INTERN~1\iexplore.exe [2010-10-22 07:09]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {4A3C42BC-2F84-4196-A11F-7E48483E3651} = 10.236.92.130,10.236.92.147
TCP: {641F709C-B21C-4064-9688-110C90938448} = 10.236.92.130,10.236.92.147
DPF: {F37FF434-58A2-4E48-B8EC-97723E5DDD57} - hxxps://www.truemoney.co.th/cpg/CP
GWeb/TruePurseAXS.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/
/www.gmer.net
Rootkit scan 2011-01-27 16:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71AAA611-245D-D09F-882845FC5EAA24CC}
\{DFD26894-68B9-4777-FDD1761F9E74CD53}\{F10C9B44-6C01-0B82-830AFBCCD029C402}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,a4,8f,52,
26,78,14,54,6e,c7,a2,90,b5,b6,66,7b,3e,1b,04,a2,d0,3f,87,8f,9f,e3,71,fc,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}
\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A356E26F-F64B-8F5D-7C18E49D604F2F76}
\{6A54AA76-7D92-69B0-4B2831BB70973615}\{981C58D8-528B-1766-742A6B252CC7665F}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E
}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX
.exe,-101"
}\Elevation]
"Enabled"=dword:00000001
}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B2D6F484-260A-7B5D-9DECE03114A71318}
\{16279713-416B-AABF-512733F99CDDA7F7}\{FB965560-4DCA-8EF0-2DC335C1EACB0D08}*]
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C87D1BA9-1306-77F5-90F87A723F410748}
\{690B68B5-18FE-E760-90ABE82D4BAC7FD3}\{66897D8D-2C31-7872-FEBDD8B850AFD9F2}*]
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8CDAF05-7BF4-6974-B2CBA8F9B6C935D6}
\{7E800F0E-C7A5-CDEC-81A71D67D6EB20F3}\{6CB69E27-75B4-79A7-A46CED580B63D3F2}*]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6A
F30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
F30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
F30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2011-01-27 16:10:56
ComboFix-quarantined-files.txt 2011-01-27 09:10
Pre-Run: 169,702,473,728 bytes free
Post-Run: 170,562,838,528 bytes free
- - End Of File - - 73C64C82762234A210C46FB8FBD62DA2

Combo Fix

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Combo Fix

Enviado por

Direitos autorais:

Formatos disponíveis

ComboFix 11-01-24.01 - Administrator 01/27/2011 15:58:45.1.

Você também pode gostar