ComboFix 08-08-13.05 - Administrator 2008-08-14 12:10:08.1 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1752 [GMT -8:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Administrator\Application Data\rhccfkj0e5ft C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk C:\Documents and Settings\clerk\Application Data\rhccfkj0e5ft C:\Program Files\rhccfkj0e5ft C:\WINDOWS\system32\config\systemprofile\Application Data\rhccfkj0e5ft C:\WINDOWS\system32\drivers\Byc06.sys C:\WINDOWS\system32\lphc9fkj0e5ft.exe C:\WINDOWS\system32\phc9fkj0e5ft.bmp C:\WINDOWS\system32\x64 ----- BITS: Possible infected sites ----- http://10.30.30.2:8530 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BYC06 -------\Legacy_TCPSR -------\Service_Byc06 -------\Service_tcpsr ((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 ))))))))))))))))))))))))))))))) . 2008-08-14 11:00 . 2008-08-14 11:00 d-------- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search 2008-08-14 11:00 . 2008-08-14 11:00 d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor 2008-08-14 11:00 . 2008-08-14 11:00 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder 2008-08-13 17:46 . 2008-08-14 08:29 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor 2008-08-13 17:45 . 2008-08-13 17:46 d-------- C:\Program Files\Microsoft Common 2008-08-11 13:06 . 2008-08-11 13:20 d-------- C:\Documents and Settings\clerk\Application Data\U3 2008-07-21 15:11 . 2008-07-21 15:11 d-------- C:\Documents and Settings\TEMP.CLERK.001 2008-07-21 15:11 . 2008-07-21 15:11 d--hs---- C:\Documents and Settings\TEMP.CLERK.000\LOCALS~1 2008-07-21 15:11 . 2008-07-21 15:11 d-------- C:\Documents and Settings\TEMP.CLERK.000 2008-07-15 11:48 . 2008-07-11 18:23 40,448 --a------ C:\SEABA Totals 2008.xls 2008-07-15 11:48 . 2008-07-08 12:21 34,304 --a------ C:\AKHeli Totals 2008.xls 2008-07-15 11:48 . 2008-07-07 16:24 25,600 --a------ C:\TGR Totals 2008.xls 2008-07-15 04:29 . 2008-06-20 03:51 361,600 --------- C:\WINDOWS\system32\dllcache\tcpip.sys 2008-07-15 04:29 . 2008-06-20 09:46 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll 2008-07-15 04:29 . 2008-06-20 03:08 225,856 --------- C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-07-15 04:29 . 2008-06-20 09:46 147,968 --------- C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-07-15 04:29 . 2008-06-20 03:40 138,496 --------- C:\WINDOWS\system32\dllcache\afd.sys 2008-07-14 18:22 . 2008-05-09 02:53 512,000 --------- C:\WINDOWS\system32\dllcache\jscript.dll 2008-07-14 18:22 . 2008-05-09 02:53 430,080 --------- C:\WINDOWS\system32\dllcache\vbscript.dll 2008-07-14 18:22 . 2008-05-09 02:53 180,224 --------- C:\WINDOWS\system32\dllcache\scrobj.dll 2008-07-14 18:22 . 2008-05-09 02:53 172,032 --------- C:\WINDOWS\system32\dllcache\scrrun.dll 2008-07-14 18:22 . 2008-05-08 03:24 155,648 --------- C:\WINDOWS\system32\dllcache\wscript.exe 2008-07-14 18:22 . 2008-05-09 00:45 135,168 --------- C:\WINDOWS\system32\dllcache\cscript.exe 2008-07-14 18:22 . 2008-05-09 02:53 90,112 --------- C:\WINDOWS\system32\dllcache\wshext.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-11 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-08-05 19:09 --------- d-----w C:\Documents and Settings\clerk\Application Data\SiteAdvisor 2008-06-23 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632] "MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 22:09 468288] "McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 22:09 87360] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 12:07 36640] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="C:\WINDOWS\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 15:36 13801] "TSClientAXDisabler"="C:\WINDOWS\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 20:43 2247] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-05-28 13:07:33 114688] Scanner File Utility.lnk - C:\Program Files\Kyocera\FileUtility\NsCatCom.exe [2008-02-28 13:55:48 327680] Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-03-25 05:59:00 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-03-25 05:56 303616] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-258796451-1422996371-4045565041-1115\Scripts\Logon\[u]0[/u]\[u]0[/u]] "Script"=DriveMappings.cmd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-258796451-1422996371-4045565041-1170\Scripts\Logon\[u]0[/u]\[u]0[/u]] "Script"=DriveMappings.cmd [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --------- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk] --------- 2007-06-12 15:09 408344 C:\Program Files\Intel\AMT\atchk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] --------- 2004-02-19 05:23 61440 c:\dell\bldbubg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter] --------- 2007-05-24 05:03 17920 C:\dell\E-Center\EULALauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] --------- 2007-06-28 13:21 162328 C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] --------- 2007-07-26 17:03 178712 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --------- 2007-06-28 13:21 141848 C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --------- 2004-07-27 14:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --------- 2004-07-27 14:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniForm OFPA] --------- 2003-05-20 21:13 40960 C:\Program Files\ScanSoft\OmniForm 5.1\OFPA.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniFormReminder] -r------- 2003-03-13 21:41 729088 C:\PROGRA~1\ScanSoft\OMNIFO~1.1\EReg\Ereg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv] --------- 2006-10-20 15:23 118784 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] --------- 2007-06-28 13:21 137752 C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] --------- 2006-08-17 07:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --------- 2007-09-24 17:12 1036288 C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --------- 2005-11-10 11:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "stllssvr"=3 (0x3) "gusvc"=3 (0x3) "GoogleDesktopManager"=3 (0x3) "OmniForm Printer"=2 (0x2) "Adobe LM Service"=3 (0x3) "UNS"=2 (0x2) "LMS"=2 (0x2) "atchksrv"=2 (0x2) "ASFAgent"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 08:35] R2 EngineServer;EngineServer;C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 11:30] R2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-01-22 22:09] S4 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 01:58] S4 atchksrv;Intel(R) Active Management Technology System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe [2007-06-12 15:09] S4 LMS;Intel(R) Active Management Technology Local Management Service;C:\Program Files\Intel\AMT\LMS.exe [2007-06-12 15:09] S4 UNS;Intel(R) Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [2007-06-12 15:09] . - - - - ORPHANS REMOVED - - - - HKLM-Run-lphc9fkj0e5ft - C:\WINDOWS\system32\lphc9fkj0e5ft.exe HKLM-Run-SMrhccfkj0e5ft - C:\Program Files\rhccfkj0e5ft\rhccfkj0e5ft.exe MSConfigStartUp-Acrobat Assistant 7 - C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\upz0eoie.default\ ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-14 12:12:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Olympus\DeviceDetector\DM1Service.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\Kyocera\FileUtility\SFUSVC.exe C:\Program Files\SiteAdvisor\6173\SAService.exe C:\WINDOWS\system32\searchindexer.exe C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe . ************************************************************************** . Completion time: 2008-08-14 12:14:39 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-14 20:14:36 Pre-Run: 54,677,200,896 bytes free Post-Run: 52,666,130,432 bytes free 201 --- E O F --- 2008-07-16 11:01:32