You are on page 1of 5

ComboFix 10-10-22.04 - Administrator 10/22/2010 21:02:20.1.

2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1754 [GMT -7:0
0]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScrip
t.txt
AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7AFC5-F6E02A79969B}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {8
4B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((((((((((((((
)))))))))))))))))))))))))))))
.

Other Deletions

C:\~.exe
c:\documents and settings\sanumula\Application Data\Bitrix
c:\documents and settings\sanumula\Application Data\Bitrix
708_675671_skey_21-08-2010__10-17-18.zip
c:\documents and settings\sanumula\Application Data\Bitrix
c:\documents and settings\sanumula\Application Data\Bitrix
c:\documents and settings\sanumula\Application Data\Bitrix
c:\documents and settings\sanumula\Application Data\Bitrix
c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1500
c:\windows\system32\drivers\DELL_XPS_Vostro 1500
C:\zip.exe
.
(((((((((((((((((((((((((
))))))))))))))))))))))))
.

))))))))))))))))))))

Security
Security\21082010_101
Security\jje.txt
Security\ljgh.txt
Security\mcx.txt
Security\mxd1.txt
.MRK
.MRK

Files Created from 2010-09-23 to 2010-10-23 )))))))

2010-10-23 02:52 . 2010-10-23 02:52


ws\system32\GroupPolicy
2010-10-20 07:20 . 2010-10-20 07:20
2010-10-19 06:34 . 2010-10-20 06:43
ents and settings\All Users\Application
2010-10-19 02:16 . 2010-10-19 02:16
art.bat
2010-10-19 02:15 . 2010-10-19 03:39
am files\UnHackMe
2010-10-19 01:25 . 2010-10-19 01:25
ws\system32\wbem\Repository
2010-10-19 01:24 . 2010-10-19 01:24
am files\Common Files\Java
2010-10-19 01:24 . 2010-10-19 01:24
am files\ErrorTeck
2010-10-18 04:12 . 2010-10-18 04:12
am files\IObit
2010-10-18 03:35 . 2010-10-18 03:35
m32\PxSecure.dll-7065984
2010-10-18 02:23 . 2010-10-19 01:24
am files\Free Window Registry Repair
2010-10-16 04:22 . 2010-10-19 01:24
am files\Trojan Remover

--------

d--h--w-

c:\windo

574
----a-wC:\cleanup.bat
-------d-----wc:\docum
Data\STOPzilla!
2
--shatrc:\windows\winst
--------

d-----w-

c:\progr

--------

d-----w-

c:\windo

--------

d-----w-

c:\progr

--------

d-----w-

c:\progr

--------

d-----w-

c:\progr

70192

----a-w-

c:\windows\syste

--------

d-----w-

c:\progr

--------

d-----w-

c:\progr

2010-10-16 03:38 . 2010-10-19 01:24


-------d-----wc:\docum
ents and settings\sanumula\Application Data\Simply Super Software
2010-10-16 03:38 . 2010-10-16 03:38
-------d-----wc:\docum
ents and settings\All Users\Application Data\Simply Super Software
2010-10-10 03:30 . 2010-08-24 21:57
9344
----a-wc:\windows\syste
m32\drivers\mfeclnk.sys
2010-10-10 03:30 . 2010-08-24 21:57
141792 ----a-wc:\windows\syste
m32\mfevtps.exe
2010-10-10 03:29 . 2010-08-24 21:57
95600 ----a-wc:\windows\syste
m32\drivers\mfeapfk.sys
2010-10-10 03:29 . 2010-08-24 21:57
88544 ----a-wc:\windows\syste
m32\drivers\mfendisk.sys
2010-10-10 03:29 . 2010-08-24 21:57
84264 ----a-wc:\windows\syste
m32\drivers\mferkdet.sys
2010-10-10 03:29 . 2010-08-24 21:57
84072 ----a-wc:\windows\syste
m32\drivers\mfetdi2k.sys
2010-10-10 03:29 . 2010-08-24 21:57
55840 ----a-wc:\windows\syste
m32\drivers\cfwids.sys
2010-10-10 03:29 . 2010-08-24 21:57
312904 ----a-wc:\windows\syste
m32\drivers\mfefirek.sys
2010-10-06 06:08 . 2010-10-06 06:08
-------d-----wc:\docum
ents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-05 21:06 . 2010-10-06 02:06
-------d-----wc:\docum
ents and settings\sanumula\Application Data\ErrorTeck
2010-10-05 21:04 . 2010-10-05 21:05
-------d-----wc:\docum
ents and settings\Administrator\Application Data\ErrorTeck
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
)))))))))))))))))))))))))))))))
.
2010-09-15 04:25 . 2010-09-15 04:25
0
----a-w2010-08-24 21:57 . 2010-01-06 04:12
52104 ----a-wm32\drivers\mfebopk.sys
2010-08-24 21:57 . 2010-01-06 04:12
386712 ----a-wm32\drivers\mfehidk.sys
2010-08-24 21:57 . 2010-01-06 04:12
152992 ----a-wm32\drivers\mfeavfk.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
)))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

)))))))))))))))))))))
C:\~.exe.vir
c:\windows\syste
c:\windows\syste
c:\windows\syste

)))))))))))))))))))

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2
010-07-06 2634048]
"FreeCall"="c:\program files\FreeCall.com\FreeCall\FreeCall.exe" [2010-08-16 107
88656]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [201001-27 256280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 1
28296]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183


168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-17 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-17 138008]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21
819200]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-07 405504]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-02-02 36864]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-11-23 378128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_s
l.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-0921 932288]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17
1116920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-25 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe
" [2010-02-18 248040]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-1-5
50688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-5-27 106560]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiViru
s]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall
]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz
edApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"c:\\Documents and Settings\\sanumula\\Local Settings\\Application Data\\Google\
\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\sanumula\\Local Settings\\Application Data\\Google\
\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [1/5/2010 9:07 PM 519


84]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [1/5/2010 9:07 PM
59664]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\
cmdguard.sys [1/7/2010 11:06 PM 132296]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmd
hlp.sys [1/7/2010 11:06 PM 25160]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/9/
2010 8:29 PM 84072]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee
\SiteAdvisor\McSACore.exe [1/5/2010 9:16 PM 88176]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcaf
ee\McSvcHost\McSvHost.exe" /McCoreSvc [10/9/2010 8:29 PM 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McS
vcHost\McSvHost.exe" /McCoreSvc [10/9/2010 8:29 PM 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\Sys
temCore\mfefire.exe [10/9/2010 8:30 PM 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps
.exe [10/9/2010 8:30 PM 141792]
S2 OracleE1LocalTNSListener;OracleE1LocalTNSListener;c:\oracle\E1Local\BIN\TNSLS
NR --> c:\oracle\E1Local\BIN\TNSLSNR [?]
S2 OracleServiceE1LOCAL;OracleServiceE1LOCAL;c:\oracle\e1local\bin\ORACLE.EXE E1
LOCAL --> c:\oracle\e1local\bin\ORACLE.EXE E1LOCAL [?]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c
:\program files\ThreatFire\TFService.exe service [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/9/2010 8
:29 PM 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/9/
2010 8:29 PM 312904]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfe
ndisk.sys [10/9/2010 8:29 PM 88544]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/9/2010 8:2
9 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/9/
2010 8:29 PM 84264]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [1/5/2010 9:07 PM
33552]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visua
l Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 279980
8]
S4 OracleJobSchedulerE1LOCAL;OracleJobSchedulerE1LOCAL;c:\oracle\e1local\Bin\ext
job.exe E1LOCAL --> c:\oracle\e1local\Bin\extjob.exe E1LOCAL [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ
vvdsvc
.
Contents of the 'Scheduled Tasks' folder
2010-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1284227242-7
25345543-1004Core.job
- c:\documents and settings\sanumula\Local Settings\Application Data\Google\Upda
te\GoogleUpdate.exe [2010-01-28 19:02]
2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1284227242-7
25345543-1004UA.job

- c:\documents and settings\sanumula\Local Settings\Application Data\Google\Upda


te\GoogleUpdate.exe [2010-01-28 19:02]
.
.
------- Supplementary Scan ------.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/act
ivex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - HKCU-Run-SRS Audio Sandbox - c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/
/www.gmer.net
Rootkit scan 2010-10-22 21:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleE1LocalTNSListener]
"ImagePath"="c:\oracle\E1Local\BIN\TNSLSNR "
.
------------------------ Other Running Processes -----------------------.
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2010-10-22 21:19:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-23 04:19
Pre-Run: 199,267,598,336 bytes free
Post-Run: 199,275,274,240 bytes free
- - End Of File - - 8FD188B5FB27E7D578F87AE6A64576B6