View Single Post
  #10  
Old January 6th, 2008, 08:25 PM
Berna Berna is offline
Member
 
Join Date: Dec 2003
Age: 52
Posts: 72
combofix log

Here is the combofix log:

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1111 [GMT -6:00]
Running from: C:\DOCUME~1\NEEDOB~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\ABEDW5YH\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\iexplore.exe
C:\WINDOWS\system32\iexplorer.exe
C:\WINDOWS\Temp\3776.exe
F:\Autorun.inf
.
---- Previous Run -------
.
C:\Program Files\outlook
C:\Program Files\outlook\p.zip
C:\Program Files\outlook\v.tmp
C:\WINDOWS\system32\UpMedia

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 11:19 . 2008-01-06 11:19 198 --a------ C:\Documents and Settings\Nee Dobbs\servstop.bat
2008-01-06 11:18 . 2008-01-06 11:18 92 --a------ C:\Documents and Settings\Nee Dobbs\servstart.bat
2008-01-06 10:14 . 2008-01-06 10:14 219,728 --a------ C:\WINDOWS\SYSTEM32\Down(31).exe
2008-01-05 11:57 . 2008-01-05 11:57 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(30).exe
2008-01-05 11:56 . 2008-01-05 11:56 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(29).exe
2008-01-05 11:56 . 2008-01-05 11:56 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(28).exe
2008-01-05 11:56 . 2008-01-05 11:56 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(27).exe
2008-01-05 10:44 . 2008-01-05 10:44 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(26).exe
2008-01-05 10:43 . 2008-01-05 10:43 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(25).exe
2008-01-05 10:16 . 2008-01-05 10:16 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(24).exe
2008-01-05 10:15 . 2008-01-05 10:15 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(23).exe
2008-01-05 10:15 . 2008-01-05 10:15 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(22).exe
2008-01-05 10:14 . 2008-01-05 10:14 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(21).exe
2008-01-05 09:18 . 2008-01-05 09:18 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(20).exe
2008-01-05 09:18 . 2008-01-05 09:18 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(19).exe
2008-01-05 08:57 . 2008-01-05 08:57 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(18).exe
2008-01-05 08:57 . 2008-01-05 08:57 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(17).exe
2008-01-05 08:52 . 2008-01-06 11:19 11,908 --a------ C:\WINDOWS\SYSTEM32\azftzw.KEY
2008-01-05 08:41 . 2008-01-05 08:41 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(16).exe
2008-01-05 08:41 . 2008-01-05 08:41 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(15).exe
2008-01-05 08:32 . 2008-01-05 08:32 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(14).exe
2008-01-05 08:31 . 2008-01-05 08:31 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(13).exe
2008-01-05 07:20 . 2008-01-05 07:20 1 --a------ C:\WINDOWS\SYSTEM32\00044f77.inf
2008-01-05 07:02 . 2008-01-05 07:02 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(11).exe
2008-01-05 06:58 . 2008-01-05 06:58 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(10).exe
2008-01-05 06:57 . 2008-01-05 06:57 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(9).exe
2008-01-05 06:47 . 2008-01-05 06:47 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(8).exe
2008-01-05 06:47 . 2008-01-05 06:47 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(7).exe
2008-01-04 21:28 . 2008-01-06 11:22 145 --a------ C:\WINDOWS\SYSTEM32\a.jpg
2008-01-03 07:25 . 2008-01-03 07:25 389,120 --a------ C:\WINDOWS\SYSTEM32\IE_ASSII.exe
2008-01-02 20:42 . 2008-01-02 20:42 40,960 --a------ C:\HTGD0003.exe
2008-01-02 20:42 . 2008-01-02 20:42 36,864 --a------ C:\HTGD0005.exe
2008-01-02 20:42 . 2008-01-02 20:42 31,078 --a------ C:\HTGD0002.bmp
2008-01-02 20:42 . 2008-01-02 20:42 50 --a------ C:\HTGD0006.ini
2008-01-02 15:35 . 2008-01-02 15:35 401,720 --a------ C:\HiJackThis.exe
2008-01-02 15:23 . 2008-01-02 15:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 14:39 . 2008-01-02 14:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-02 14:39 . 2008-01-02 14:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 14:34 . 2008-01-02 14:34 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-02 14:34 . 2008-01-02 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-01 11:04 . 2008-01-01 21:36 2,722 --a------ C:\WINDOWS\SYSTEM32\snhuqt.DRV
2008-01-01 11:04 . 2008-01-01 21:36 2,722 --a------ C:\WINDOWS\SYSTEM32\arsneo.DRV
2008-01-01 11:04 . 2008-01-01 21:36 2,707 --a------ C:\WINDOWS\SYSTEM32\gxobza.KEY
2008-01-01 10:03 . 2008-01-01 10:03 57,036 --a------ C:\WINDOWS\SYSTEM32\Down(6).exe
2008-01-01 09:21 . 2008-01-01 09:21 61,678 --a------ C:\WINDOWS\SYSTEM32\Down(5).exe
2008-01-01 09:14 . 2008-01-01 09:14 61,678 --a------ C:\WINDOWS\SYSTEM32\Down(4).exe
2008-01-01 09:12 . 2008-01-01 09:12 61,678 --a------ C:\WINDOWS\SYSTEM32\Down(3).exe
2008-01-01 09:10 . 2008-01-01 09:10 61,678 --a------ C:\WINDOWS\SYSTEM32\Down(2).exe
2008-01-01 09:04 . 2008-01-01 09:04 1 --a------ C:\WINDOWS\SYSTEM32\0004c49d.inf
2007-12-30 09:49 . 2007-12-30 09:49 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(1).exe
2007-12-30 09:07 . 2007-12-30 09:07 196,608 --a------ C:\WINDOWS\SYSTEM32\Down(0).exe
2007-12-29 19:23 . 2007-12-29 19:23 178,688 --a------ C:\WINDOWS\SYSTEM32\svchst.exe
2007-12-29 19:23 . 2007-12-29 19:22 20,229 ---hs---- C:\test.exe
2007-12-29 19:22 . 2007-10-10 23:57 617,984 --a------ C:\WINDOWS\SYSTEM32\Flower.dll
2007-12-29 19:22 . 2007-12-29 19:22 20,229 ---hs---- C:\WINDOWS\SYSTEM32\Flower.exe
2007-12-28 18:28 . 2007-12-28 18:28 <DIR> d-------- C:\WINDOWS\ulead.dat
2007-12-28 18:28 . 2008-01-02 16:44 <DIR> d-------- C:\Documents and Settings\Nee Dobbs\Application Data\Ulead Systems
2007-12-28 18:28 . 2007-12-28 18:29 333 --a------ C:\WINDOWS\ULead32.ini
2007-12-26 20:58 . 2007-12-26 21:56 <DIR> d-------- C:\Program Files\Web Publish
2007-12-26 20:58 . 2008-01-02 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-26 14:03 . 2007-12-26 14:19 <DIR> d-------- C:\Program Files\Casino Extreme
2007-12-16 19:54 . 2007-12-16 19:54 <DIR> d-------- C:\Program Files\Magic Photo Editor
2007-12-12 18:15 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-12 17:50 . 2007-12-12 17:50 <DIR> d-------- C:\Program Files\CCleaner
2007-12-10 15:09 . 2007-12-10 15:09 <DIR> d-------- C:\Documents and Settings\Nee Dobbs\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-06 02:58 --------- d-----w C:\Program Files\Personalised Letters
2008-01-06 02:56 --------- d-----w C:\Program Files\Phoenician
2008-01-06 02:54 --------- d-----w C:\Program Files\firstweb
2008-01-06 02:52 --------- d-----w C:\Program Files\e-texaspoker client
2008-01-06 02:49 --------- d-----w C:\Program Files\Canon
2008-01-06 02:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-06 01:39 --------- d-----w C:\Program Files\exPressit S.E. 2.1
2008-01-02 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-02 03:36 --------- d-----w C:\Program Files\Club Player Casino
2008-01-01 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 01:14 --------- d-----w C:\Documents and Settings\Nee Dobbs\Application Data\AdobeUM
2007-12-27 03:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-13 01:03 --------- d-----w C:\Program Files\Symantec
2007-12-13 01:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-13 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-06 01:50 --------- d-----w C:\Program Files\Club World Casinos
2007-11-23 15:09 --------- d-----w C:\Documents and Settings\Nee Dobbs\Application Data\uTorrent
2007-11-14 20:08 --------- d-----w C:\Program Files\Cool Cat Casino
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-11-09 04:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-11 05:57 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-10-11 05:57 666,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-11 05:57 617,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-11 05:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-11 05:57 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-10-11 05:57 449,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-11 05:57 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-10-11 05:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-10-11 05:57 251,904 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-10-11 05:57 205,824 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-11 05:57 16,384 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-10-11 05:57 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-10-10 10:48 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-05-24 02:47 14,560,017 ----a-w C:\Program Files\x-video-converter-41214.exe
2005-12-30 19:58 0 ---ha-w C:\Documents and Settings\Nee Dobbs\hpothb07.dat
2005-12-30 19:57 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-11-28 20:10 29,388 ----a-w C:\WINDOWS\Fonts\candycuttf.zip
2005-11-28 20:09 35,288 ----a-w C:\WINDOWS\Fonts\snowcaps.zip
2005-05-12 04:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2004-12-16 04:31 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"mschkdsk.exe"="C:\WINDOWS\system32\mschkdsk.e xe" [2006-09-06 18:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 02:06 7311360]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15 290816]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCh eck.exe" [2004-03-10 16:26 406016]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2003-04-01 20:20 12288]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-08-26 04:33 122941]
"DetectorApp"="C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe" [2005-08-31 05:15 102400]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 15:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"nwiz"="nwiz.exe" [2005-12-10 02:06 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2005-12-10 02:06 86016]
"PCLEPCI"="C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE" [2003-09-23 10:04 32768]
"GoogleUpdate"="C:\Program Files\Internet Explorer\3776.EXE" [2008-01-05 07:34 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 01:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 16:41:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\auto.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ShuiNiu.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sos.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\svch0st.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Systom.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UFO.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XP.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]
Debugger=C:\WINDOWS\system32\Flower.exe

R2 NATServices;NATServicesware;C:\WINDOWS\system32\sv chost.exe [2004-08-04 01:56]
R3 BENDER;Pinnacle AV/DV2 Capture;C:\WINDOWS\system32\drivers\bender.sys [2003-07-09 13:35]
S4 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2004-08-06 15:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
roawiy REG_MULTI_SZ roawiy
snhuqt REG_MULTI_SZ snhuqt
arsneo REG_MULTI_SZ arsneo
NATServices REG_MULTI_SZ NATServices

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 16:22:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-11-13 06:33:17 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1092363366.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-06 10:35:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 11:49:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [2804]
? [3140]
? [3428]

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
GoogleUpdate = C:\Program Files\Internet Explorer\3776.EXE?????l???????????????]???G?o?o?g?l?e?U?p?d?a?t?e?????r?????????????????? ?????e???????????????V?????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> c:\windows\system32\azftzw.dll
.
Completion time: 2008-01-06 11:50:31
ComboFix-quarantined-files.txt 2008-01-06 17:50:05
.
2007-12-21 17:11:14 --- E O F ---