"BeeHoon" - 2007-07-06 11:11:48 - ComboFix 07-07-04.4 - Service Pack 2
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\autorun.bat
c:\autorun.inf
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\microsoft\pctools
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\microsoft\pctools\NSIS.Library.RegTool.v2.{E9CA8AD8-A67B-49A7-B6E7-4D572E10FBED}.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\TEMP
C:\DOCUME~1\BeeHoon\LOCALS~1\APPLIC~1.\baidu
C:\WINDOWS\system32\0.txt
C:\WINDOWS\system32\2.exe
C:\WINDOWS\system32\4.exe
C:\WINDOWS\system32\autorun.bat
C:\WINDOWS\system32\autorun.reg
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\O.txt
d:\autorun.bat
d:\autorun.inf
e:\autorun.bat
e:\autorun.inf
f:\autorun.bat
f:\autorun.inf
l:\autorun.bat
l:\autorun.inf
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_ACPIDISK
-------\LEGACY_BDGUARD
-------\LEGACY_NPF
-------\LEGACY_SQUELL
-------\acpidisk
-------\cdnprot
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))
2007-07-06 11:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-06-30 16:19 419,372 --a------ C:\Program Files\winzip.exe
2007-06-22 19:07 13,396 --a------ C:\WINDOWS\system32\drivers\MTictwl.sys
2007-06-22 19:07 d-------- C:\Program Files\SEC
2007-06-21 11:24 9,389,672 --a------ C:\Program Files\winzip111.exe
2007-06-21 11:13 5,315,429 --a------ C:\Program Files\pkr80018en.EXE
2007-06-18 17:15 d-------- C:\Program Files\The Great Wall Of Words
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-06 02:22:22 -------- d-----w C:\DOCUME~1\BeeHoon\APPLIC~1\OpenOffice.org2
2007-06-22 11:07:38 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-19 07:15:33 -------- d-----w C:\Program Files\EPSON
2007-05-19 07:15:08 -------- d-----w C:\Program Files\Common Files\EPSON
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 04:29:10 6,092,224 ----a-w C:\WINDOWS\mozy-1_8_2_3.exe
2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-12 02:19:33 34 ----a-w C:\WINDOWS\system32\BD2040.DAT
2007-04-08 02:37:05 2,071 ----a-w C:\WINDOWS\panose.bin
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kavshell"=C:\WINDOWS\system32\svch0st.exe
"1cxt76uxtf"=C:\WINDOWS\iexpl0re.exe
"br63gk3ehww"=C:\WINDOWS\rundl13a.exe
"23qygm2vj"=C:\WINDOWS\Servera.exe
"ksg8ujxvk73"=C:\WINDOWS\TEMP\iexpl0re.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"tx"=C:\SysTx1\svchost.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"tx"=C:\SysTx1\svchost.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-04 10:39]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1433d7b3-f2e4-11db-88d0-0011097c8626}]
AutoRun\command- I:\
explore\Command- WScript.exe .\autorun.vbs
open\Command- WScript.exe .\autorun.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{275985ac-165e-11dc-890f-0011097c8626}]
AutoRun\command- L:\
explore\Command- WScript.exe .\autorun.vbs
open\Command- WScript.exe .\autorun.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31024d88-1252-11dc-8908-0011097c8626}]
AutoRun\command- L:\
explore\Command- WScript.exe .\autorun.vbs
open\Command- WScript.exe .\autorun.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{396be234-fab3-11da-873d-0011097c8626}]
AutoRun\command- L:\
explore\Command- WScript.exe .\autorun.vbs
open\Command- WScript.exe .\autorun.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e1256cb-e4fb-11da-80b9-806d6172696f}]
AutoRun\command- K:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{873f1ee6-60f6-11db-87f3-0011097c8626}]
AutoRun\command- ie.exe
explore\Command- ie.exe
open\Command- ie.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e37a495-c95a-11db-8892-0011097c8626}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{974ec60c-005f-11dc-88e6-0011097c8626}]
AutoRun\command- I:\
explore\Command- WScript.exe .\autorun.vbs
open\Command- WScript.exe .\autorun.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4aee7a6-e962-11da-8716-0011097c8626}]
Auto\command- L:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e852513e-215d-11dc-891f-0011097c8626}]
Auto\command- L:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8b9781c-85e8-11db-8833-0011097c8626}]
Auto\command- L:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
Contents of the 'Scheduled Tasks' folder
2007-06-30 07:55:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-07-06 11:15:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-06 11:16:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-06 11:16
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 11:18:51 AM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\Mozy\mozybackup.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Messanger Accelerator (Accelerator Tools) - Unknown owner - C:\WINDOWS\system32\mis.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Mozy Backup Service (MozyBackup) - Unknown owner - D:\Program Files\Mozy\mozybackup.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe