Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sbwftbxa.exe, Cbevtsvc.exe Trojan


  • This topic is locked This topic is locked
1 reply to this topic

#1 jkesler

jkesler

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 01 April 2008 - 10:08 AM

Hello All,

I have a developer at my organization that is infected with the above listed executables. I am also getting trojan.fakealert and trojan.adware.w32.spyshredderdwnldr. I have run combofix on the computer and here are my results. I just need to know what to do next to clean up the pc.

The o/s is XP sp2.

thanks,

jay

ComboFix 08-03-30.5 - jkesler 2008-04-01 9:43:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2225 [GMT -5:00]
Running from: C:\Documents and Settings\jkesler\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\rvaughn\g2mdlhlpx.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

----- BITS: Possible infected sites -----

hxxp://sds03
.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-04-01 09:22 . 2008-04-01 09:23 15,468 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_4_1_9_22_58.dmp
2008-04-01 09:06 . 2008-04-01 10:57 <DIR> d-------- C:\SDFix
2008-03-30 17:13 . 2008-03-30 17:13 <DIR> d-------- C:\Documents and Settings\ArcGISSOM\Application Data\Juniper Networks
2008-03-30 17:07 . 2008-03-30 17:07 <DIR> d-------- C:\Documents and Settings\rvaughn\Application Data\Grisoft
2008-03-30 17:06 . 2008-03-30 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-30 16:54 . 2008-03-30 16:58 1,340,228,096 --a------ C:\37B.tmp
2008-03-30 16:25 . 2008-04-01 09:19 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-03-30 16:25 . 2008-04-01 09:19 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-03-30 16:25 . 2008-03-30 16:25 90,540 --a------ C:\WINDOWS\system32\sbwltbxa1.exe
2008-03-30 16:25 . 2008-03-30 16:25 90,540 --a------ C:\Documents and Settings\ArcGISSOM\Application Data\1092693577.exe
2008-03-30 16:13 . 2008-03-30 16:13 14,694 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_30_16_13_55.dmp
2008-03-28 15:57 . 2005-11-22 15:59 78,117 --a------ C:\VirtumundoBeGone.exe
2008-03-28 15:57 . 2008-03-28 15:57 15,368 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_28_15_56_53.dmp
2008-03-28 15:49 . 2008-03-28 15:49 268 --ah----- C:\sqmdata16.sqm
2008-03-28 15:49 . 2008-03-28 15:49 244 --ah----- C:\sqmnoopt16.sqm
2008-03-28 15:36 . 2008-03-28 15:36 15,368 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_28_15_36_15.dmp
2008-03-28 14:41 . 2008-03-28 14:41 <DIR> d-------- C:\Documents and Settings\jkesler\Application Data\Prevx
2008-03-28 14:34 . 2008-03-28 14:34 <DIR> d-------- C:\Program Files\LIUtilities
2008-03-28 14:34 . 2008-03-28 14:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 14:27 . 2008-03-28 14:32 1,340,228,096 --a------ C:\413.tmp
2008-03-28 13:45 . 2008-03-30 16:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-28 13:45 . 2008-03-30 16:21 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-28 13:45 . 2008-03-30 16:21 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-28 13:45 . 2008-03-30 16:21 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-28 13:28 . 2008-03-28 13:28 14,694 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_28_13_28_29.dmp
2008-03-28 13:21 . 2008-03-28 13:21 268 --ah----- C:\sqmdata15.sqm
2008-03-28 13:21 . 2008-03-28 13:21 244 --ah----- C:\sqmnoopt15.sqm
2008-03-28 12:02 . 2008-03-28 12:02 <DIR> d-------- C:\Program Files\zango
2008-03-28 12:02 . 2008-03-28 12:02 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-28 12:02 . 2008-03-28 12:02 <DIR> d-------- C:\Program Files\stc
2008-03-28 12:02 . 2008-03-28 12:02 <DIR> d-------- C:\Program Files\180solutions
2008-03-28 12:02 . 2008-03-28 12:02 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-28 12:02 . 2008-03-28 12:02 <DIR> d-------- C:\Program Files\180search assistant
2008-03-28 11:19 . 2008-03-28 11:19 90,540 --a------ C:\Documents and Settings\ArcGISSOM\Application Data\1092169257.exe
2008-03-28 08:19 . 2008-03-28 08:19 47,104 --a------ C:\Documents and Settings\ArcGISSOM\Application Data\1056515497.exe
2008-03-28 08:08 . 2008-03-28 08:08 14,694 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_28_8_8_31.dmp
2008-03-27 19:35 . 2008-03-27 19:35 15,318 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_27_19_35_38.dmp
2008-03-27 15:56 . 2008-03-27 15:56 15,318 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_27_15_56_46.dmp
2008-03-27 15:49 . 2008-03-27 15:49 268 --ah----- C:\sqmdata14.sqm
2008-03-27 15:49 . 2008-03-27 15:49 244 --ah----- C:\sqmnoopt14.sqm
2008-03-27 15:05 . 2008-03-27 15:05 151,552 --a------ C:\Documents and Settings\LocalService\Application Data\869715802.exe
2008-03-24 18:53 . 2008-03-24 18:53 0 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_24_18_53_51.dmp
2008-03-14 15:23 . 2008-03-14 21:14 559,536 --a------ C:\MyViewReport0.pdf
2008-03-14 15:23 . 2008-03-14 21:14 18,297 --a------ C:\MyViewReport0.rdl
2008-03-14 14:43 . 2008-03-14 14:43 14,694 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_14_14_43_32.dmp
2008-03-13 18:55 . 2008-03-13 18:55 15,368 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_13_18_55_15.dmp
2008-03-13 16:56 . 2008-03-13 16:56 246 --a------ C:\help.sql
2008-03-11 14:22 . 2008-03-11 11:11 263,363 --a------ C:\_PdfOutPutgkqg1gbu5ydw2arxmwxgh5552.pdf
2008-03-11 08:14 . 2008-03-11 08:14 14,694 --a------ C:\WINDOWS\system32\nmesrvc_core_2008_3_11_8_14_9.dmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 14:47 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-01 13:51 --------- d-----w C:\Program Files\LogMeIn
2008-03-30 21:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-30 21:24 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-30 21:24 --------- d-----w C:\Program Files\Windows Live Favorites
2008-03-30 21:24 --------- d-----w C:\Program Files\MSN Messenger
2008-03-30 21:24 --------- d-----w C:\Program Files\BAE
2008-03-28 19:02 --------- d-----w C:\Program Files\NetWaiting
2008-03-11 21:03 --------- d-----w C:\Documents and Settings\rvaughn\Application Data\Quest Software
2008-03-11 21:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Quest Software
2008-03-10 20:33 --------- d-----w C:\Documents and Settings\rvaughn\Application Data\webex
2008-02-18 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-18 07:55 --------- d-----w C:\Program Files\ceTe Software
2008-02-12 09:02 --------- d-----w C:\Program Files\Quest Software
2008-02-12 09:02 --------- d-----w C:\Program Files\Common Files\Quest Shared
2008-02-12 09:01 --------- d-----w C:\Documents and Settings\rvaughn\Application Data\Software
2008-02-12 08:57 --------- d-----w C:\Program Files\Raize
2008-02-12 08:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raize
2008-02-03 14:11 --------- d-----w C:\Program Files\Novatel Wireless
2007-04-12 21:18 630,784 ----a-w C:\Documents and Settings\rvaughn\GoToAssist_chat2way__317_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00 158208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 20:03 7557120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=C:\WINDOWS\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 20:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-12-21 12:33 48800 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-06-29 13:13 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 06:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
--a------ 2006-05-16 13:35 102400 C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-11-17 16:11 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-02-05 15:52 849280 c:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2005-12-28 12:56 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2005-12-28 12:55 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-08-03 16:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-21 20:03 7557120 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2006-03-21 20:03 73728 C:\WINDOWS\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-03-21 20:03 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-08 12:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2006-05-26 22:51 85744 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys [2005-12-09 16:35]
R2 ArcServerObjectManager;ArcGIS Server Object Manager;C:\Program Files\ArcGIS\bin\ArcSOM.exe [2006-10-12 19:22]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR []
R2 OracleServiceORCL;OracleServiceORCL;c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE ORCL []
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2007-03-23 22:13]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-08-10 12:30]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 14:53]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 16:30]
S2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 14:38]
S2 esri_sde;ArcSde Service(esri_sde);C:\ArcGIS\ArcSDE\sqlexe\bin\giomgr.exe [2007-03-05 16:02]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 17:04]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-08-16 15:24]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\product\10.2.0\db_1\Bin\extjob.exe ORCL []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 14:03:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-04-12 12:54:51 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 09:53:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\nmesrvc_core_2008_4_1_9_55_53.dmp 15530 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR "
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\ArcGIS\bin\ArcSOC.exe
C:\Program Files\ArcGIS\bin\ArcSOC.exe
C:\Program Files\ArcGIS\bin\ArcSOC.exe
C:\Program Files\ArcGIS\bin\AppLockMgr.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\DllHost.exe
C:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
C:\Program Files\ArcGIS\bin\ArcSOC.exe
C:\Program Files\ArcGIS\bin\ArcSOC.exe
C:\Program Files\ArcGIS\bin\ArcSOC.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
C:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe
c:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\oracle\product\10.2.0\db_1\jdk\bin\java.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-04-01 10:02:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 15:02:26
Pre-Run: 4,020,031,488 bytes free
Post-Run: 3,882,622,976 bytes free
.
2008-03-21 14:21:33 --- E O F ---

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:55 AM

Posted 01 April 2008 - 10:14 AM

Please note the message text in blue at the top of this forum.

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

Edited by quietman7, 01 April 2008 - 10:14 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users