Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got a bit ahead of myself - already ran combofix


  • This topic is locked This topic is locked
2 replies to this topic

#1 jch

jch

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 01 December 2008 - 07:51 PM

long.

Hi, my name is Jim. I have been hearing crazy beeps coming from the PC - the sound windows defaults to when a program fails - so I started doing some checking. I have run HijackThis and didn't see anything unusual. Also ran Autoruns and disabled a few unessecery items.

Still concerned, today I downloaded and ran TrendMicros RootkitBuster. It found 1 hidden file that it couldn't remove. I've tried deleting it fom command prompt in safe mode and it tells me the file is too long. So in exploring google for long filename i came across a Bleeping Computer thread that mentioned combofix. Instead of joining and realizing that there were certain steps you wanted us to follow before posting, I went to the combofix tutorial and downloaded it and the windows recovery console.

When I dragged the recovery console onto combofix things went a little crazy. Boclean reported a rootkit (couldn't catch the name message disappeared too quickly) then shut itself down. Next my AT&T antivirus shutitself down. Spybot Teatimer reported 2 registry key changes and shut it self down.

I never got the message that recovery console was successfully installed. Instead the combofix box stayed open and said preparing to scan. It never started. I closed the window. Left all FW,AS AV's off and dragged the revery console onto combofix again. This time nothing unusual happened but I still didn't get the message that recovery console was installed.

Combofix went on and ran it's scan and I have the logfile. What I'm not sure of is it safe to shutdown my system and restart? It looks like it may have deleted a bunch of windows files. Anyway here is the log from combofix. Thanks in advance for any help.

ComboFix 08-12-01.01 - Owner 2008-12-01 19:03:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.419 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-81140121F7\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-81140121F7\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 18:15 . 2008-12-01 18:15 <DIR> d-------- c:\program files\CyberScrub Privacy Suite
2008-12-01 18:15 . 2008-12-01 18:15 <DIR> d-------- c:\documents and settings\Owner.YOUR-81140121F7\Application Data\CyberScrub
2008-12-01 18:15 . 2008-12-01 18:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 18:15 . 2007-02-07 12:08 84 --a------ c:\windows\csact.ini
2008-12-01 17:51 . 2008-12-01 17:53 <DIR> d-------- c:\program files\Unlocker
2008-12-01 17:34 . 2008-12-01 17:34 268 --ah----- C:\sqmdata10.sqm
2008-12-01 17:34 . 2008-12-01 17:34 244 --ah----- C:\sqmnoopt10.sqm
2008-12-01 16:14 . 2008-12-01 16:14 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-01 15:57 . 2008-12-01 15:57 244 --ah----- C:\sqmnoopt09.sqm
2008-12-01 15:57 . 2008-12-01 15:57 232 --ah----- C:\sqmdata09.sqm
2008-12-01 15:16 . 2008-12-01 15:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-01 15:16 . 2007-10-20 18:25 117,760 --a------ c:\windows\system32\hpzll5mu.dll
2008-12-01 15:15 . 2007-11-09 01:59 271,704 --a------ c:\windows\system32\hpzids01.dll
2008-12-01 15:15 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-01 15:15 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-01 15:09 . 2008-12-01 15:17 153,768 --a------ c:\windows\hphins26.dat
2008-12-01 15:09 . 2008-01-19 03:52 787 --------- c:\windows\hphmdl26.dat
2008-11-30 17:41 . 2008-11-30 17:41 268 --ah----- C:\sqmdata08.sqm
2008-11-30 17:41 . 2008-11-30 17:41 244 --ah----- C:\sqmnoopt08.sqm
2008-11-29 02:37 . 2007-03-08 10:36 577,536 --a------ c:\windows\system32\bowut
2008-11-28 20:21 . 2008-11-28 20:21 244 --ah----- C:\sqmnoopt07.sqm
2008-11-28 20:21 . 2008-11-28 20:21 232 --ah----- C:\sqmdata07.sqm
2008-11-25 23:13 . 2008-11-25 23:14 <DIR> d-------- c:\program files\QuickTime
2008-11-25 22:47 . 2008-11-25 22:47 <DIR> d-------- c:\documents and settings\Owner.YOUR-81140121F7\Application Data\Apple Computer
2008-11-25 22:34 . 2008-11-25 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-25 22:34 . 2008-11-25 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-25 19:15 . 2008-11-25 19:15 244 --ah----- C:\sqmnoopt06.sqm
2008-11-25 19:15 . 2008-11-25 19:15 232 --ah----- C:\sqmdata06.sqm
2008-11-21 19:13 . 2008-11-21 19:13 268 --ah----- C:\sqmdata05.sqm
2008-11-21 19:13 . 2008-11-21 19:13 244 --ah----- C:\sqmnoopt05.sqm
2008-11-17 23:41 . 2008-11-17 23:43 <DIR> d-------- c:\program files\WinPcap
2008-11-17 23:38 . 2008-11-19 17:23 <DIR> d-------- c:\program files\WMR11
2008-11-16 19:42 . 2008-11-16 19:41 158,192 --------- c:\windows\system32\pxwma.dll
2008-11-16 04:06 . 2008-11-16 04:06 <DIR> d-------- c:\program files\IVCsoft
2008-11-16 04:00 . 2008-11-16 06:58 <DIR> d-------- c:\program files\Total Video Player
2008-11-15 19:35 . 2008-11-15 19:35 <DIR> d-------- c:\windows\system32\QuickTime
2008-11-14 23:22 . 2008-11-14 23:22 268 --ah----- C:\sqmdata04.sqm
2008-11-14 23:22 . 2008-11-14 23:22 244 --ah----- C:\sqmnoopt04.sqm
2008-11-14 23:17 . 2008-11-14 23:17 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-14 21:24 . 2008-11-14 21:24 244 --ah----- C:\sqmnoopt03.sqm
2008-11-14 21:24 . 2008-11-14 21:24 232 --ah----- C:\sqmdata03.sqm
2008-11-13 23:25 . 2008-11-13 23:25 244 --ah----- C:\sqmnoopt02.sqm
2008-11-13 23:25 . 2008-11-13 23:25 232 --ah----- C:\sqmdata02.sqm
2008-11-13 12:28 . 2008-11-13 12:28 244 --ah----- C:\sqmnoopt01.sqm
2008-11-13 12:28 . 2008-11-13 12:28 232 --ah----- C:\sqmdata01.sqm
2008-11-12 17:52 . 2008-11-12 17:52 244 --ah----- C:\sqmnoopt00.sqm
2008-11-12 17:52 . 2008-11-12 17:52 232 --ah----- C:\sqmdata00.sqm
2008-11-12 00:43 . 2008-11-12 01:50 <DIR> d-------- c:\program files\Adsen Image Grab
2008-11-11 13:49 . 2008-11-11 13:49 <DIR> d-------- c:\documents and settings\Owner.YOUR-81140121F7\Contacts
2008-11-11 13:48 . 2008-12-01 15:15 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-11 13:45 . 2008-11-11 13:47 <DIR> d-------- c:\program files\Windows Live
2008-11-11 13:45 . 2008-11-11 13:47 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-11 13:45 . 2008-11-11 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-11 13:33 . 2008-11-11 17:24 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-11 13:33 . 2008-11-11 13:33 1,409 --a------ c:\windows\QTFont.for
2008-11-11 13:14 . 2008-02-22 02:33 69,632 --a------ c:\windows\system32\javacpl.cpl
2008-11-11 13:13 . 2008-11-11 13:13 <DIR> d-------- c:\program files\Common Files\Java
2008-11-11 12:53 . 2008-11-11 12:53 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-11 12:21 . 2008-11-11 12:21 <DIR> d-------- c:\program files\Common Files\xing shared
2008-11-09 19:18 . 2008-11-09 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-09 19:17 . 2008-11-09 19:18 <DIR> d-------- c:\program files\Yahoo!
2008-11-09 19:12 . 2008-11-09 19:12 <DIR> d-------- c:\documents and settings\Owner.YOUR-81140121F7\Application Data\MSNInstaller
2008-11-09 18:50 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-09 18:50 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-09 18:50 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-09 18:50 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-09 18:48 . 2003-12-11 11:15 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2008-11-09 18:42 . 2008-12-01 15:15 <DIR> d-------- c:\program files\HP
2008-11-09 18:42 . 2008-11-09 18:48 <DIR> d-------- c:\program files\Hewlett-Packard
2008-11-09 18:41 . 2008-11-09 18:49 234,421 --a------ c:\windows\hpdj3740.his
2008-11-09 18:41 . 2008-11-09 18:49 10,802 --a------ c:\windows\hpdj3740.ini
2008-11-09 18:14 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-09 18:14 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-09 18:02 . 2008-11-09 18:02 <DIR> d-------- c:\documents and settings\Owner.YOUR-81140121F7\Application Data\CyberLink
2008-11-09 18:02 . 2008-11-09 18:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-11-09 16:51 . 2008-11-09 16:51 <DIR> d-------- c:\windows\Sun
2008-11-09 16:51 . 2008-11-09 16:52 <DIR> d-------- c:\program files\NOS
2008-11-09 16:51 . 2008-11-09 16:51 <DIR> d-------- c:\documents and settings\Owner.YOUR-81140121F7\Application Data\AdobeUM
2008-11-09 03:43 . 2008-11-09 17:47 3,240 --a------ c:\windows\system32\PerfStringBackup.TMP
2008-11-08 23:00 . 2008-11-09 16:22 <DIR> d-------- c:\windows\ServicePackFiles(2)
2008-11-08 20:29 . 2008-11-08 23:05 <DIR> d-------- c:\windows\system32\scripting
2008-11-08 20:29 . 2008-11-08 23:05 <DIR> d-------- c:\windows\l2schemas
2008-11-08 20:10 . 2008-08-14 04:55 2,142,720 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-08 19:58 . 2008-04-13 19:12 8,461,312 --a------ c:\windows\system32\SET319.tmp
2008-11-08 19:57 . 2008-04-13 19:11 3,066,880 --a------ c:\windows\system32\SET3F8.tmp
2008-11-08 19:56 . 2008-04-13 19:11 1,082,368 --a------ c:\windows\system32\SET4A9.tmp
2008-11-08 19:55 . 2008-04-13 19:11 1,267,200 --a------ c:\windows\system32\SET519.tmp
2008-11-08 18:57 . 2008-11-09 17:02 <DIR> d-------- c:\program files\Common Files\Java(3)
2008-11-08 16:38 . 2008-11-09 17:04 <DIR> d-------- c:\program files\Common Files\Java(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 06:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 06:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 04:39 99,216 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-12-01 04:39 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-12-01 04:39 143,096 ----a-w c:\windows\system32\guard32.dll
2008-11-26 03:34 --------- d-----w c:\program files\Apple Software Update
2008-11-17 00:41 9,200 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-17 00:41 9,072 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-17 00:41 44,944 ------w c:\windows\system32\drivers\pxhelp20.sys
2008-11-16 08:37 --------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2008-11-14 05:41 --------- d-----w c:\program files\DivX
2008-11-11 18:39 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-11 18:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-11 18:39 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\SUPERAntiSpyware.com
2008-11-11 18:23 --------- d-----w c:\program files\a-squared Anti-Malware
2008-11-11 18:14 --------- d-----w c:\program files\Java
2008-11-11 17:21 --------- d-----w c:\program files\Common Files\Real
2008-11-09 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-11-09 22:32 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-09 21:51 --------- d-----w c:\program files\Real
2008-11-09 20:14 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-25 06:05 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2008-10-23 10:12 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-23 09:33 --------- d-----w c:\program files\Trend Micro
2008-10-22 22:10 8,552 ----a-w c:\windows\system32\drivers\asctrm.sys
2008-10-22 13:46 --------- d-----w c:\program files\Windows Defender
2008-10-22 13:39 --------- d-----w c:\program files\Pure Networks
2008-10-22 13:39 --------- d-----w c:\program files\Google
2008-10-22 13:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 13:36 --------- d-----w c:\program files\Privacy Mantra 2.05
2008-10-22 13:36 --------- d-----w c:\program files\CyberLink
2008-10-22 13:35 --------- d-----w c:\program files\Napster
2008-10-22 13:35 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-10-22 13:25 --------- d-----w c:\program files\BigFix
2008-10-22 13:24 --------- d-----w c:\program files\Common Files\AOL
2008-10-22 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-22 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-22 13:06 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\DivX
2008-10-22 12:37 53,192 ----a-w c:\windows\system32\drivers\rp_skt32.sys
2008-10-22 12:37 --------- d-----w c:\program files\Raxco
2008-10-22 12:37 --------- d-----w c:\documents and settings\All Users\Application Data\Raxco
2008-10-22 12:26 --------- d-----w c:\program files\Common Files\Scanner
2008-10-22 12:26 --------- d-----w c:\program files\Common Files\Authentium
2008-10-22 12:26 --------- d-----w c:\program files\CA
2008-10-22 12:25 --------- d-----w c:\program files\AT&T
2008-10-22 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\AT&T
2008-10-22 12:24 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\AT&T
2008-10-22 12:23 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\InstallShield
2008-10-22 12:21 --------- d-----w c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2008-10-22 12:21 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-10-22 12:20 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\McAfee.com Personal Firewall
2008-10-22 12:20 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\ATI
2008-10-22 12:17 --------- d-----w c:\program files\ATI Technologies
2008-10-22 12:05 --------- d-----w c:\program files\Lavasoft
2008-10-22 12:05 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\Lavasoft
2008-10-22 11:41 --------- d-----w c:\program files\Comodo
2008-10-22 11:41 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\Comodo
2008-10-22 10:48 --------- d-----w c:\program files\Microsoft Works
2008-10-22 10:36 --------- d-----w c:\program files\MSXML 4.0
2008-10-22 10:31 --------- d-----w c:\program files\McAfee
2008-10-22 10:31 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-22 10:30 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-10-22 10:29 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\SampleView
2008-10-22 10:29 --------- d-----w c:\documents and settings\Administrator\Application Data\SampleView
2008-10-22 10:28 --------- d-----w c:\program files\gtw_logo
2008-10-22 10:27 --------- d-----w c:\program files\Microsoft Money 2006
2008-10-22 10:26 --------- d-----w c:\program files\MSN Encarta Plus
2008-10-22 10:25 --------- d-----w c:\program files\Common Files\Nullsoft
2008-10-22 10:25 --------- d-----w c:\program files\Common Files\aolshare
2008-10-22 10:25 --------- d-----w c:\documents and settings\Owner.YOUR-81140121F7\Application Data\You've Got Pictures Screensaver
2008-10-22 10:25 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2008-10-22 10:25 --------- d-----w c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-10-22 10:24 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-10-22 10:23 --------- d-----w c:\program files\Microsoft Digital Image 2006
2008-10-22 10:22 --------- d-----w c:\program files\Common Files\Adobe
2008-10-22 10:19 --------- d-----w c:\program files\Realtek
2008-10-22 10:18 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-22 10:17 --------- d-----w c:\program files\Common Files\ATI Technologies
2008-10-22 10:13 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-22 10:07 --------- d-----w c:\program files\Common Files\New Boundary
2008-10-22 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Prism Deploy
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2007-07-23 19:08 8 --sha-r c:\windows\neoqaz2.dll
.

------- Sigcheck -------

2008-04-13 19:12 111104 ed7262e52c31cf1625b65039102bc16c c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\wuauclt.exe
2008-10-16 14:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"AT&T Internet Security Suite"="c:\program files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 310000]
"-FreedomNeedsReboot"="c:\program files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 13552]
"BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]
"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2008-11-30 1796856]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"COMODO Internet Security"="c:\program files\Comodo\Firewall\cfp.exe" [2008-11-30 1796856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-11 185872]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 c:\windows\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 00:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CHotkey"=zHotkey.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"MSKDetectorExe"=c:\program files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-10-22 99216]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-10-22 31504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-23 33752]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- File Associations -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 19:06:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-01 19:08:17
ComboFix-quarantined-files.txt 2008-12-02 00:07:54

Pre-Run: 115,091,595,264 bytes free
Post-Run: 115,905,564,672 bytes free

294



BC AdBot (Login to Remove)

 


#2 jch

jch
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 01 December 2008 - 10:53 PM

Thanks all, I went ahead and restored PC prior to combofix. Not sure if I have a problem or not but I did find a program to get rid of the long filename hidden file.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:06:56 AM

Posted 02 December 2008 - 09:33 PM

Thanks for informing us.
If you find other problems, please start again, and re post anew.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users