ComboFix 07-11-08.1 - Administrator 2007-11-07 13:47:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\AdminJack\Desktop\Live Safety Center.lnk
C:\Documents and Settings\AdminJack\Desktop\Online Security Guide.lnk
C:\Documents and Settings\AdminJack\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Program Files\Temporary
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\mqssadzv.dllbox
C:\WINDOWS\system32\ozecdmej.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qabosefc.dll
C:\WINDOWS\SYSTEM32\qqstv.bak1
C:\WINDOWS\SYSTEM32\qqstv.bak2
C:\WINDOWS\SYSTEM32\qqstv.ini
C:\WINDOWS\SYSTEM32\qqstv.ini2
C:\WINDOWS\SYSTEM32\qqstv.tmp
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\ymante~1
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.
2007-11-07 13:45 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 13:38 66,591 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\el90xbc5.sys
2007-11-07 13:38 66,591 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\el90xbc5.sys
2007-11-07 13:38 6,656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdide.sys
2007-11-07 13:38 6,656 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cmdide.sys
2007-11-07 13:38 5,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aliide.sys
2007-11-07 13:38 5,248 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\aliide.sys
2007-11-07 13:32 71,232 --a------ C:\WINDOWS\SYSTEM32\dpqwjqsr.exe
2007-11-07 12:48 71,232 --a------ C:\WINDOWS\SYSTEM32\edhpkakm.exe
2007-11-07 12:41 79,936 --------- C:\WINDOWS\SYSTEM32\ylxmwxlh.dll
2007-11-07 12:39 71,232 --a------ C:\WINDOWS\SYSTEM32\ngpysnrh.exe
2007-11-07 12:32 71,232 --a------ C:\WINDOWS\SYSTEM32\imgmpreo.exe
2007-11-07 12:20 79,936 --a------ C:\WINDOWS\SYSTEM32\jcnqgcnl.dll
2007-11-07 12:17 71,232 --a------ C:\WINDOWS\SYSTEM32\xoomrjho.exe
2007-11-07 12:12 79,936 --a------ C:\WINDOWS\SYSTEM32\pywbvply.dll
2007-11-07 12:09 71,232 --a------ C:\WINDOWS\SYSTEM32\olvcrmng.exe
2007-11-07 11:12 79,936 --a------ C:\WINDOWS\SYSTEM32\iastpymw.dll
2007-11-07 11:03 86,080 --a------ C:\WINDOWS\SYSTEM32\xgbxambo.dll
2007-11-07 11:01 71,232 --a------ C:\WINDOWS\SYSTEM32\ibviiufk.exe
2007-11-07 10:54 71,232 --a------ C:\WINDOWS\SYSTEM32\raeuurgb.exe
2007-11-07 10:41 79,936 --a------ C:\WINDOWS\SYSTEM32\jvlyirrp.dll
2007-11-07 10:38 71,232 --a------ C:\WINDOWS\SYSTEM32\sssjnidi.exe
2007-11-07 10:32 71,232 --a------ C:\WINDOWS\SYSTEM32\sqqyhwvs.exe
2007-11-06 19:44 71,232 --a------ C:\WINDOWS\SYSTEM32\pydhequu.exe
2007-11-06 19:34 87,104 --a------ C:\WINDOWS\SYSTEM32\aceluysq.dll
2007-11-06 18:54 71,232 --a------ C:\WINDOWS\SYSTEM32\ceonardr.exe
2007-11-06 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 18:24 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-11-06 18:24 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-06 18:22 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-11-06 18:22 81,472 --a------ C:\WINDOWS\SYSTEM32\vxylwiml.dll
2007-11-06 18:21 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-06 18:17 71,232 --a------ C:\WINDOWS\SYSTEM32\dbuisrks.exe
2007-11-06 17:46 81,472 --a------ C:\WINDOWS\SYSTEM32\bmtfwgos.dll
2007-11-06 17:43 87,104 --a------ C:\WINDOWS\SYSTEM32\ivlgavdn.dll
2007-11-06 17:38 71,232 --a------ C:\WINDOWS\SYSTEM32\plgivwoy.exe
2007-11-06 17:22 81,472 --a------ C:\WINDOWS\SYSTEM32\jiskgncs.dll
2007-11-06 17:08 <DIR> d-------- C:\WINDOWS\pss
2007-11-06 15:09 87,104 --a------ C:\WINDOWS\SYSTEM32\etodofgm.dll
2007-11-06 15:06 81,472 --a------ C:\WINDOWS\SYSTEM32\qmcwywoe.dll
2007-11-06 15:00 145,984 --a------ C:\WINDOWS\SYSTEM32\tvsisnus.dll
2007-11-06 09:59 81,472 --a------ C:\WINDOWS\SYSTEM32\ealnbfaj.dll
2007-11-06 09:34 81,472 --a------ C:\WINDOWS\SYSTEM32\gnmmxosf.dll
2007-11-06 09:26 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-05 18:28 83,008 --a------ C:\WINDOWS\SYSTEM32\ievhtpej.dll
2007-11-05 18:14 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-05 18:02 <DIR> d-------- C:\Documents and Settings\AdminJack\SecurityScans
2007-11-05 18:01 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-11-05 17:29 48,156 --a------ C:\ESUGLPDU.zip
2007-11-05 16:44 83,008 --a------ C:\WINDOWS\SYSTEM32\fdmsfdor.dll
2007-11-05 15:31 110,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-11-05 15:31 48,768 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-11-05 15:24 83,008 --a------ C:\WINDOWS\SYSTEM32\eejtrbfo.dll
2007-11-05 14:17 83,008 --a------ C:\WINDOWS\SYSTEM32\mwfuidrj.dll
2007-11-05 13:16 83,008 --a------ C:\WINDOWS\SYSTEM32\hgmqbamr.dll
2007-11-05 12:54 83,008 --a------ C:\WINDOWS\SYSTEM32\tulewaya.dll
2007-11-05 11:53 83,008 --a------ C:\WINDOWS\SYSTEM32\vuxfrdpv.dll
2007-11-05 11:13 85,568 --a------ C:\WINDOWS\SYSTEM32\fotoeodh.dll
2007-11-05 11:07 83,008 --a------ C:\WINDOWS\SYSTEM32\claaqtsm.dll
2007-11-02 15:07 55,352,398 --a------ C:\SYM_REGISTRY_BACKUP.reg
2007-11-02 10:03 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-11-01 09:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz02r
2007-10-31 13:09 <DIR> d-------- C:\WINDOWS\Sun
2007-10-30 14:59 <DIR> d-------- C:\olb
2007-10-30 13:57 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-10-30 13:06 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-10-30 13:06 <DIR> d-------- C:\Documents and Settings\AdminJack\Application Data\Intuit
2007-10-30 13:06 1,933,312 --a------ C:\WINDOWS\SYSTEM32\cdintf251.dll
2007-10-30 13:02 <DIR> d-------- C:\Program Files\Intuit
2007-10-30 13:02 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-10-30 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-30 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2007-10-29 15:54 421,888 --a------ C:\WINDOWS\SYSTEM32\novamnp2.dll
2007-10-29 15:54 9,728 --a------ C:\WINDOWS\SYSTEM32\novamip2.dll
2007-10-29 15:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-29 15:38 <DIR> d-------- C:\Program Files\Softland
2007-10-29 15:38 <DIR> d-------- C:\Program Files\a la mode
2007-10-29 13:24 <DIR> d-------- C:\Program Files\Kyocera
2007-10-29 12:25 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-10-29 12:21 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-29 12:02 <DIR> d--hs---- C:\Documents and Settings\AdminJack\UserData
2007-10-29 12:00 <DIR> d-------- C:\Program Files\Microsoft WSE
2007-10-29 12:00 348,160 --a------ C:\WINDOWS\SYSTEM32\cdintf250.dll
2007-10-29 11:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTemp
2007-10-29 11:47 582,656 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 23:17 --------- d-----w C:\Program Files\Microsoft Works
2007-11-05 20:32 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 20:32 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 20:32 --------- d-----w C:\Program Files\Symantec
2007-11-05 20:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 15:15 --------- d-----w C:\Program Files\Symantec_Client_Security
2007-10-31 19:04 --------- d-----w C:\Documents and Settings\AdminJack\Application Data\AdobeUM
2007-10-29 20:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 16:52 --------- d-----w C:\Program Files\Common Files\InstallShield
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2007-03-14 19:49]
"d8fc5d11"="C:\WINDOWS\system32\xgbxambo.dll" [2007-11-07 11:03]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-11-06 18:45:25]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 03:09:14]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ozecdmej]
ozecdmej.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtsqq.dll
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-11-08 13:55:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-08 13:57:42 - machine was rebooted
.
--- E O F ---
here is the new hijack log
Logfile of HijackThis v1.99.1
Scan saved at 2:17:00 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securityrespo...r/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://go.microsoft....k/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [d8fc5d11] rundll32.exe "C:\WINDOWS\system32\xgbxambo.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.mi...b?1194304080125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O17 - HKLM\Software\..\Telephony: DomainName = metropolitanfundinggroup.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metropolitanfundinggroup.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ozecdmej - ozecdmej.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe