Thread: I have a real bad Trojan problem. [F]
View Single Post
Old 06-24-2008, 01:41 PM   #19 (permalink)
WasTech
True Techie
 
Join Date: Oct 2006
Posts: 121
Default Re: I have a real bad Trojan problem. [P]
ComboFix log:

ComboFix 08-06-19.2 - Ed 2008-06-24 13:36:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1675 [GMT -4:00]
Running from: D:\Good Apps2\ComboFix.exe
Command switches used :: D:\Trojans suck\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\002224_.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\002224_.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-23 23:04 . 2008-06-24 13:29 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-06-23 22:39 . 2008-06-23 22:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 22:32 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-06-23 22:32 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-06-23 22:32 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-06-23 16:46 . 2008-06-23 16:46 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-23 16:46 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-06-23 16:46 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-06-23 16:46 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-06-23 16:46 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-06-23 16:46 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-06-23 16:46 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-06-23 15:09 . 2007-02-28 05:10 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-06-23 15:09 . 2007-02-28 05:08 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-06-23 15:09 . 2007-02-28 04:38 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-06-23 15:09 . 2006-03-16 20:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-06-23 15:06 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-23 15:05 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-23 02:42 . 2008-06-23 22:33 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-23 02:41 . 2008-06-23 02:41 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-23 02:18 . 2008-06-23 02:18 <DIR> d---s---- C:\Documents and Settings\Ed\UserData
2008-06-21 02:21 . 2008-06-21 02:21 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Share-to-Web Upload Folder
2008-06-21 02:21 . 2004-10-07 21:16 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-06-21 02:20 . 2008-06-21 02:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-06-21 02:20 . 2008-06-21 02:20 34 --a------ C:\WINDOWS\hpfsched.ini
2008-06-21 02:13 . 2008-06-21 02:13 <DIR> d-------- C:\WINDOWS\system32\data
2008-06-21 02:12 . 2008-06-21 02:12 <DIR> d-------- C:\Program Files\scar5
2008-06-21 02:12 . 2008-06-21 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\scar5
2008-06-21 01:57 . 2008-06-21 01:57 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2008-06-21 01:49 . 2008-06-21 01:49 <DIR> d-------- C:\Program Files\VIA
2008-06-21 01:48 . 2008-06-21 01:48 <DIR> d-------- C:\Program Files\Analog Devices
2008-06-21 01:46 . 2004-06-24 11:00 6,656 --a------ C:\WINDOWS\system32\drivers\AsProbe.sys
2008-06-21 01:45 . 2008-06-21 01:48 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-21 01:45 . 2008-06-21 01:49 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-21 01:45 . 2004-02-27 00:00 962,612 --a------ C:\WINDOWS\system32\mfc42d.dll
2008-06-21 01:45 . 2004-02-17 00:00 434,252 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-06-21 01:45 . 2005-01-28 16:44 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-06-21 01:45 . 2004-09-07 11:41 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-06-21 01:45 . 2004-10-14 17:52 4,962 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-06-21 01:45 . 2004-03-10 14:31 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-06-21 01:36 . 2008-06-21 01:36 <DIR> d-------- C:\Program Files\HP Photosmart 11
2008-06-21 01:33 . 2008-06-21 01:33 <DIR> d-------- C:\WINDOWS\system32\Viewers
2008-06-21 01:33 . 2008-06-21 01:33 <DIR> d-------- C:\Program Files\MSWorks
2008-06-21 01:33 . 2008-06-21 01:33 1,409 --a------ C:\WINDOWS\system\arnari.FOT
2008-06-21 01:33 . 2008-06-21 01:33 1,409 --a------ C:\WINDOWS\system\arnar.FOT
2008-06-21 01:31 . 2008-06-21 01:31 <DIR> d-------- C:\Program Files\Microsoft Works 4.5
2008-06-21 01:27 . 2008-06-23 22:53 <DIR> d-------- C:\Program Files\ASUS
2008-06-21 01:27 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2008-06-21 01:27 . 1997-04-22 10:16 6,272 --a------ C:\WINDOWS\system32\drivers\ASLM75.SYS
2008-06-21 01:25 . 2004-01-28 04:21 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-06-21 01:25 . 2008-06-21 01:25 2,914 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-06-21 01:24 . 2008-06-21 01:24 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-21 01:18 . 2008-06-21 01:18 <DIR> d-------- C:\WINDOWS\ShellNew
2008-06-21 01:17 . 2008-06-21 01:17 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Microsoft Web Folders
2008-06-20 23:41 . 2008-06-20 23:41 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-20 23:23 . 2008-06-20 23:23 <DIR> d-------- C:\Program Files\SANDISK
2008-06-20 23:23 . 2008-06-20 23:23 <DIR> d-------- C:\Program Files\Common Files\Shuttle Technology
2008-06-20 23:23 . 2000-03-21 00:46 84,240 --a------ C:\WINDOWS\system32\drivers\SCMENUM.SYS
2008-06-20 23:23 . 2000-05-25 03:32 24,064 --a------ C:\WINDOWS\system32\STLHOOK.DLL
2008-06-20 23:23 . 2000-06-03 02:57 13,806 --a------ C:\WINDOWS\system32\drivers\STLTRK2K.SYS
2008-06-20 23:22 . 2008-06-20 23:22 <DIR> d-------- C:\Documents and Settings\Ed\WINDOWS
2008-06-20 23:22 . 1997-08-01 12:41 254,464 --a------ C:\WINDOWS\UNINST16.EXE
2008-06-20 23:22 . 1995-07-13 18:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2008-06-20 23:19 . 2008-06-24 13:30 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-20 23:19 . 2008-06-20 23:19 <DIR> d-------- C:\Program Files\AVG
2008-06-20 23:19 . 2008-06-24 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-20 23:19 . 2008-06-20 23:19 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 23:19 . 2008-06-20 23:19 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-20 23:19 . 2008-06-20 23:19 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-20 23:14 . 2008-06-20 23:14 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-06-20 23:09 . 2008-06-20 23:09 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-20 23:09 . 2004-08-04 00:56 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2008-06-20 23:08 . 2008-06-20 23:08 <DIR> d-------- C:\WINDOWS\EHome
2008-06-20 23:08 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-24 17:28 37,476 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_06_24_12_47_21_small.dmp.zi p
2008-06-24 17:28 11,700,053 ----a-w C:\WINDOWS\Internet Logs\zlclient_on_demand_2008_06_24_12_47_04_full.d mp.zip
2008-06-21 05:17 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

------- Sigcheck -------

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2003-03-31 10:00 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 05:10 2180352 a97f3359a8b513500c66988cf36b7ec3 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2007-02-28 05:10 2180352 a97f3359a8b513500c66988cf36b7ec3 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2007-02-28 05:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\SoftwareDistribution\Download\10e16e65c 532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb01 1c281dea1cb7a45f880da78\sp2gdr\ntoskrnl.exe
2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb01 1c281dea1cb7a45f880da78\sp2qfe\ntoskrnl.exe
2007-02-28 05:10 2180352 a97f3359a8b513500c66988cf36b7ec3 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 05:10 2180352 a97f3359a8b513500c66988cf36b7ec3 C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-23_22.57.08.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-24 02:37:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-24 17:28:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-08-24 03:37:52 796,584 ----a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2006-08-24 03:37:58 83,960 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2006-08-24 03:38:36 392,824 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2006-08-24 03:38:00 157,688 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2006-08-24 03:38:00 104,440 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2006-08-24 03:38:02 268,280 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2006-08-24 03:38:02 71,672 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2006-08-24 03:38:04 440,312 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2006-08-24 03:38:04 59,384 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2006-08-24 03:38:04 100,344 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2006-08-24 03:38:06 83,960 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2006-08-24 03:38:06 71,672 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2008-06-24 03:06:53 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2006-08-24 03:37:46 112,632 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 16:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2006-08-24 03:37:48 129,016 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2006-08-24 03:37:50 38,912 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2006-08-24 03:38:40 26,536 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2006-08-24 03:38:40 1,361,832 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2006-08-24 03:40:52 30,720 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rp c_server.dll
+ 2006-08-24 03:40:52 30,744 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\ vsmon_plugin.dll
+ 2006-08-03 05:53:28 677,872 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2006-08-03 05:53:28 641,008 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2006-08-24 03:37:54 169,976 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2006-05-31 19:51:00 1,228,606 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2006-08-03 05:53:30 1,308,656 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2006-08-03 05:53:32 29,680 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2006-08-24 03:37:56 456,696 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2006-08-24 03:40:54 206,864 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker \httpblocker.dll
+ 2006-07-13 06:42:56 866,288 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2006-08-24 03:38:26 124,920 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2006-08-24 03:37:58 104,440 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2006-08-24 03:38:00 79,864 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2006-08-24 03:38:26 75,768 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2006-08-24 03:38:00 2,013,176 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2006-08-24 03:38:02 1,316,856 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2006-08-24 03:38:04 243,704 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2006-05-31 19:51:00 1,228,606 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2006-08-24 03:38:08 178,168 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2006-08-24 03:38:08 79,872 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2006-08-24 03:38:10 251,896 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2006-08-24 03:38:10 124,920 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2006-08-24 03:38:18 1,087,480 ----a-w C:\WINDOWS\system32\ZoneLabs\zpy.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MicroSys-CheckAjour"="D:\Program Files\Micro-Sys Software\Ajour\ChkAjour.exe" [2004-10-30 14:04 482816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 23:19 1177368]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11 925696]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 11:50 155648]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"Zone Labs Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38 968696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 23:19]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-20 23:19]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 23:19]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 23:19]
R3 epcfw2k;SCM Parallel Port CF Driver;C:\WINDOWS\system32\DRIVERS\epcfw2k.sys [2001-08-17 09:50]
S3 SCMENUM;SCM EEPROM Eraser;C:\WINDOWS\system32\Drivers\scmenum.sys [2000-03-21 00:46]

*Newly Created Service* - HTTPFILTER
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 13:37:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-06-24 13:37:42
ComboFix-quarantined-files.txt 2008-06-24 17:37:40
ComboFix2.txt 2008-06-24 02:57:15

Pre-Run: 116,783,616,000 bytes free
Post-Run: 116,781,654,016 bytes free

218 --- E O F --- 2008-06-24 02:34:10
WasTech is offline