Okay. Done as requested to a point. After ComboFix reboot, got same Creg.dat registry error and new window opened noting "additional analysis is required" and to submit recommended .zip file to "http://www.bleepingcomputer.com/pf.php". HTTP request timed out...Cannot find server...The page cannot be displayed.
Here are the results of the files scanned by Virus Total... File wn852.exe received on 11.17.2007 21:16:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/32 (21.88%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 HEUR/Malware
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 -
AVG 7.5.0.503 2007.11.17 -
BitDefender 7.2 2007.11.17 Trojan.Generic.78636
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.17 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5302 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.17 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 W32/Threat-HLLSI-based!Maximus
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.17 -
Kaspersky 7.0.0.125 2007.11.17 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.17 -
NOD32v2 2665 2007.11.17 -
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 -
Prevx1 V2 2007.11.17 Heuristic: Suspicious File With Outbound Communications
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 Mal/Heuri-D
Sunbelt 2.2.907.0 2007.11.17 -
Symantec 10 2007.11.17 -
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Heuristic.Malware
Additional information
File size: 11776 bytes
MD5: 6ba606c6012dc7f094ed2d1e9feb1231
SHA1: c148b7e9835ee787998c8633376d39bba951fa73
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info:
http://fileinfo.prevx.com/fileinfo.asp? ... 00728168C4 File wn100.exe received on 11.18.2007 01:31:40 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/32 (34.38%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 36 and 52 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 Rkit/Agent.NF
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 Win32:Agent-LRU
AVG 7.5.0.503 2007.11.17 Downloader.Generic6.TUQ
BitDefender 7.2 2007.11.18 Trojan.Agent.AFPO
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.18 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.18 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.18 -
Kaspersky 7.0.0.125 2007.11.18 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.18 Trojan:Win32/Malagent
NOD32v2 2665 2007.11.17 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 Trj/Agony.B
Prevx1 V2 2007.11.18 -
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 Mal/Emogen-G
Sunbelt 2.2.907.0 2007.11.17 -
Symantec 10 2007.11.18 W32.SillyP2P
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Rootkit.Agent.NF
Additional information
File size: 51628 bytes
MD5: ca97c9a6a7ddb1143ae07cc19756916a
SHA1: f1c170124d6f30377e2ffe6d8c53d7daca93bf0b
packers: UPX
packers: UPX
packers: UPX
packers: PE_Patch.UPX, PE_Patch.UPX, UPX
File r-k.exe received on 11.18.2007 01:47:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/32 (28.13%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 Rkit/Agent.NF
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 Win32:Agent-LRU
AVG 7.5.0.503 2007.11.17 Agent.JGR
BitDefender 7.2 2007.11.18 Trojan.Agent.AFPO
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.18 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.18 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.18 -
Kaspersky 7.0.0.125 2007.11.18 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.18 -
NOD32v2 2665 2007.11.17 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 Trj/Agony.B
Prevx1 V2 2007.11.18 -
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 -
Sunbelt 2.2.907.0 2007.11.17 Trojan.Agent.AFPO
Symantec 10 2007.11.18 -
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Rootkit.Agent.NF
Additional information
File size: 20992 bytes
MD5: eb3a5a8ea6ea4cdc6f7066a4cedd2f4e
SHA1: 4cd9e8dc5f475d26dc2de90853f0ddd096c52884
packers: UPX
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
File wininit.sys received on 11.18.2007 02:01:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 13/32 (40.63%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 36 and 52 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 Rkit/Agent.NF
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 Win32:Agent-LRU
AVG 7.5.0.503 2007.11.17 Agent.JGS
BitDefender 7.2 2007.11.18 Trojan.Agent.AFPO
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.18 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.18 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 W32/SYStroj.C.gen!Eldorado
F-Secure 6.70.13030.0 2007.11.17 Rootkit.Win32.Agent.nf
Ikarus T3.1.1.12 2007.11.18 Rootkit.Win32.Agent.nf
Kaspersky 7.0.0.125 2007.11.18 Rootkit.Win32.Agent.nf
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.18 -
NOD32v2 2665 2007.11.17 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 Rootkit/Agony
Prevx1 V2 2007.11.18 -
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 Troj/RKPort-Fam
Sunbelt 2.2.907.0 2007.11.17 Trojan.Agent.AFPO
Symantec 10 2007.11.18 -
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Rootkit.Agent.NF
Additional information
File size: 17664 bytes
MD5: 802fab3318b130f31b60b83b7df650de
SHA1: f3b556ff4ac8b8b1ded58bd6c1444b3c0196c360
Here are the log.txt results of ComboFix using CFScript.txt...ComboFix 07-11-08.1 - Administrator 11/17/2007 20:50:07.6 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.677 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
FILE
C:\WINNT\system32\2583.sys
C:\WINNT\system32\2c32.sys
C:\WINNT\system32\3f74.sys
C:\WINNT\SYSTEM32\byxxxyx.dll
C:\WINNT\SYSTEM32\ljjghfe.dll
C:\WINNT\SYSTEM32\mskvtns.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp
C:\Temp\AirSnare\AirSnare.CAB
C:\Temp\AirSnare\setup.exe
C:\Temp\AirSnare\SETUP.LST
C:\Temp\mZOr\tOasF.log
C:\Temp\Temp\cleanup.log
C:\Temp\Temp\Folders.dbx
C:\Temp\Temp\Inbox.dbx
C:\Temp\Temp\Offline.dbx
C:\Temp\Temp\Outbox.dbx
C:\Temp\Temp\Pop3uidl.dbx
C:\Temp\Temp\Sent Items.dbx
C:\WINNT\SYSTEM32\byxxxyx.dll
C:\WINNT\SYSTEM32\ljjghfe.dll
C:\WINNT\SYSTEM32\mskvtns.dll
C:\WINNT\SYSTEM32\Mz02r
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_2583
-------\LEGACY_2C32
-------\LEGACY_3F74
-------\LEGACY_AGONY
-------\2583
-------\2c32
-------\3f74
-------\agony
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.
2007-11-17 20:53 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_570.dat
2007-11-17 10:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-16 21:20 <DIR> d-------- C:\Deckard
2007-11-15 21:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-11 23:32 10,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-11 18:02 <DIR> d-------- C:\Program Files\McAfee Tools
2007-11-10 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 23:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 16:25 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-10 13:58 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-10 13:56 <DIR> d-------- C:\VundoFix Backups
2007-11-04 23:25 11,776 --a------ C:\Documents and Settings\Administrator\wn852.exe
2007-11-04 23:25 0 --a------ C:\pdfview.exe
2007-11-04 23:25 0 --a------ C:\bbzip.exe
2007-10-24 22:11 51,628 --a------ C:\Documents and Settings\Administrator\wn100.exe
2007-10-24 22:11 20,992 --a------ C:\WINNT\r-k.exe
2007-10-18 12:18 20,280 --a------ C:\WINNT\SYSTEM32\DRIVERS\SSFS0BB9.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 15:12 --------- d---a-w C:\Program Files\Java
2007-11-16 12:29 --------- d-----w C:\Program Files\AZZ Cardfile
2007-11-15 00:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-12 01:14 --------- d-----w C:\Program Files\Find Favorites
2007-11-11 19:06 --------- d-----w C:\Program Files\RegCure
2007-11-11 04:06 --------- d-----w C:\Program Files\Yahoo!
2007-11-11 04:06 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-11 00:01 --------- d-----w C:\Program Files\Zinio
2007-10-18 17:16 164 ----a-w C:\install.dat
2007-10-15 03:10 --------- d-----w C:\Program Files\JIGLE-0.7.5
2007-10-15 02:34 --------- d-----w C:\Program Files\MSECache
2007-10-12 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolarWinds
2007-10-01 20:40 1,526,072 ----a-w C:\WINNT\WRSetup.dll
2007-10-01 20:24 23,864 ----a-w C:\WINNT\system32\drivers\sskbfd.sys
2007-10-01 20:24 21,816 ----a-w C:\WINNT\system32\drivers\sshrmd.sys
2007-10-01 20:24 163,640 ----a-w C:\WINNT\system32\drivers\ssidrv.sys
2007-08-21 17:10 69,632 ----a-w C:\WINNT\SYSTEM32\SWSendSyslog.dll
2007-08-21 17:09 122,880 ----a-w C:\WINNT\SYSTEM32\SWPortScanV1.dll
2007-08-21 17:08 122,880 ----a-w C:\WINNT\SYSTEM32\DirectDNS.dll
2007-08-21 17:05 905,296 ----a-w C:\WINNT\SYSTEM32\SNMPv7.dll
2007-08-19 21:55 91,136 ----a-w C:\WINNT\SYSTEM32\MSOERT2.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\SYSTEM32\INETCOMM.DLL
2007-08-19 21:55 47,616 ----a-w C:\WINNT\SYSTEM32\INETRES.DLL
2007-08-19 21:55 229,376 ----a-w C:\WINNT\SYSTEM32\MSOEACCT.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\SYSTEM32\MSIDENT.DLL
2005-12-17 19:30 140,632 -c-ha-w C:\Documents and Settings\Administrator\Application Data\ptads.bin
2003-07-10 05:54 271 -c-ha-w C:\Program Files\DESKTOP.INI
2003-07-10 05:54 21,952 -c-ha-w C:\Program Files\FOLDER.HTT
2003-06-19 23:00 32,528 -c--a-w C:\WINNT\INF\WBFIRDMA.SYS
.
((((((((((((((((((((((((((((( snapshot@Sat 2007-11-10_14.08.30.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-17 14:58:14 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
+ 2007-11-11 04:43:54 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
- 2007-10-15 13:11:21 240,736 ----a-w C:\WINNT\SYSTEM32\FNTCACHE.DAT
+ 2007-11-12 22:30:22 240,736 ----a-w C:\WINNT\SYSTEM32\FNTCACHE.DAT
- 2003-12-11 08:02:12 24,670 -c--a-w C:\WINNT\SYSTEM32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINNT\SYSTEM32\java.exe
- 2003-12-11 08:02:12 28,768 -c--a-w C:\WINNT\SYSTEM32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINNT\SYSTEM32\javaw.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINNT\SYSTEM32\javaws.exe
- 2006-06-22 18:44:00 2,078,344 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-17 14:26:56 45,218 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
- 2007-07-11 20:22:28 60,388 ----a-w C:\WINNT\SYSTEM32\PERFC009.DAT
+ 2007-11-11 00:54:04 60,388 ----a-w C:\WINNT\SYSTEM32\PERFC009.DAT
- 2007-07-11 20:22:28 389,838 ----a-w C:\WINNT\SYSTEM32\PERFH009.DAT
+ 2007-11-11 00:54:04 389,838 ----a-w C:\WINNT\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [03-06-10 10:07 ]
"PRPCMonitor"="PRPCUI.exe" [02-10-06 14:00 C:\WINNT\SYSTEM32\prpcui.exe]
"DVDSentry"="C:\WINNT\system32\DSentry.exe" [02-07-16 21:18 ]
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [02-12-17 00:14 ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [05-07-29 19:52 ]
"CARPService"="carpserv.exe" [02-10-17 06:54 C:\WINNT\SYSTEM32\carpserv.exe]
"nwiz"="nwiz.exe" [04-10-26 12:01 C:\WINNT\SYSTEM32\nwiz.exe]
"ZCfgSvc.exe"="C:\WINNT\system32\ZCfgSvc.exe" [05-07-05 00:32 ]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [05-06-27 07:31 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-09-12 20:49 ]
"NvCplDaemon"="RUNDLL32.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 ]
"bacstray"="BacsTray.exe" [03-05-14 05:37 C:\WINNT\SYSTEM32\BacsTray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07-10-01 15:40 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\INTERNAT.EXE]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-06-19 21:04:45]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINNT\system32\Drivers\SSFS0BB9.SYS
R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"
R2 BASFND;BASFND;\??\C:\WINNT\system32\Drivers\BASFND.sys
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys
R3 GTICARD;GTICARD;C:\WINNT\system32\DRIVERS\gticard.sys
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
R3 w70n5;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows 2000;C:\WINNT\system32\DRIVERS\w70n5.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 FreshIO;FreshIO;\??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
S3 NAL;Nal Service ;\??\C:\WINNT\system32\Drivers\iqvw32.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINNT\system32\NSNDIS5.SYS
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;"C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe"
.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 01:53:37 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-08 11:10:54 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2007-11-17 20:53:57
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-17 20:56:07 - machine was rebooted
C:\ComboFix2.txt ... 07-11-17 10:24
C:\ComboFix3.txt ... 07-11-12 10:17
.
--- E O F ---