Jump to content

Darsolan

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

 Content Type 

Everything posted by Darsolan

  1. Darsolan
    Ok, so theres definately something still there. Kaspersky found something but I wasnt sure if it deleted it, so I downloaded AVG. AVG is finding things, but I believe they are things that are getting infected not the actually trojan thats doing it. Saturday, January 9, 2010 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, January 09, 2010 09:14:33 Records in database: 3308111 Scan settings scan using the following database extended Scan archives yes Scan e-mail databases yes Scan area Critical areas C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\Documents and Settings\Brad\Start Menu\Programs\Startup C:\Program Files C:\WINDOWS Scan statistics Objects scanned 94618 Threats found 1 Infected objects found 1 Suspicious objects found 0 Scan duration 01:49:48 File name Threat Threats count C:\WINDOWS\system32\AscConTest.dll Infected: Trojan.Win32.BHO.acvs 1 Selected area has been scanned. ----------------------------------------------------------------------------- AVG scan found: "D:\Steam\steamapps\common\dawn of war 2\Install\gfwlivesetup.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";"" AVG Rootkit found: "C:\Documents and Settings\Brad\Cookies\brad@malwarebytes[2].txt";"Hidden file";"Reboot is required to finish the action" ----------------------------------------------------------------------------- Saturday, January 9, 2010 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, January 09, 2010 09:14:33 Records in database: 3308111 Scan settings scan using the following database extended Scan archives yes Scan e-mail databases yes Scan area Critical areas C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\Documents and Settings\Brad\Start Menu\Programs\Startup C:\Program Files C:\WINDOWS Scan statistics Objects scanned 94618 Threats found 1 Infected objects found 1 Suspicious objects found 0 Scan duration 01:49:48 File name Threat Threats count C:\WINDOWS\system32\AscConTest.dll Infected: Trojan.Win32.BHO.acvs 1 Selected area has been scanned.
  2. Darsolan
    Looks like I posted my ComboFix logs twice instead of my Hijack This logs...its late. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:10:15 AM, on 1/9/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Motorola Media Link\NServiceEntry.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\java.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\UAService.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE C:\Program Files\Razer\razertra.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Java\jre6\bin\java.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" /runcleanupscript O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF6956.cfxxe" /c "C:\ComboFix\C.bat" O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [steam] "D:\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186621291781 O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: DeviceMonitorService - Nero AG - C:\Program Files\Motorola Media Link\NServiceEntry.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe -- End of file - 10724 bytes
  3. Darsolan
    Ok, so this morning I got a warning from windows defender that I had Vundo.me and later Vundo.H. Of course at that point it had deleted malewarebytes exe file so I had to leave it till this evening. Upon going over the forums I ended up running Combofix, (I know now I should have waited), got the renamed exe file, and supposedly cleaned out the virus (according to malewarebytes). I did not however run any of the script files into combofix, since I saw that I shouldnt be running it as it was running. So at this point I wanted to link my logs to see if anything else is left over. I did run "combofix /uninstall" and windows defender came up clean. At the time of this writing Kaspersky Online Scanner 7 is running for critical locations. Going to crash for the night, check in later, thanks in advance. -B ---------------------------------------- Malwarebytes' Anti-Malware 1.44 Database version: 3526 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/9/2010 2:08:12 AM mbam-log-2010-01-09 (02-08-12).txt Scan type: Quick Scan Objects scanned: 118150 Time elapsed: 3 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------------------------------ ComboFix 10-01-04.01 - Brad 01/09/2010 1:51.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1629 [GMT -8:00] Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\SIntf16.dll . ((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 ))))))))))))))))))))))))))))))) . 2010-01-09 08:26 . 2010-01-09 08:26 -------- d-----w- C:\VundoFix Backups 2010-01-09 08:22 . 2010-01-09 08:22 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Threat Expert 2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\Brad\Application Data\motorola 2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\motorola 2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\program files\Common Files\Nero 2009-12-21 03:25 . 2010-01-09 09:58 -------- d-----w- c:\program files\Motorola Media Link 2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero 2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Motorola 2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Motorola 2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Common Files\Motorola Shared 2009-12-21 03:19 . 2009-12-21 03:19 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Downloaded Installations . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-09 09:58 . 2006-03-08 19:55 13985 ----a-w- c:\windows\system32\tablet.dat 2010-01-09 09:32 . 2009-12-01 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-09 09:27 . 2005-03-28 02:21 -------- d-----w- c:\program files\Trillian 2010-01-09 08:41 . 2008-07-09 22:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-01-09 08:13 . 2008-12-03 02:14 -------- d-----w- c:\program files\Windows Live Safety Center 2010-01-08 00:07 . 2009-12-01 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-08 00:07 . 2009-12-01 18:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-06 08:50 . 2005-03-21 03:00 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-01-03 03:29 . 2009-12-05 20:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-02 07:56 . 2009-09-13 10:50 306672 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-12-02 18:30 . 2005-06-07 22:05 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer 2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\program files\iTunes 2009-12-02 08:32 . 2005-10-20 23:45 -------- d-----w- c:\program files\iPod 2009-12-02 08:32 . 2007-07-18 02:44 -------- d-----w- c:\program files\Common Files\Apple 2009-12-02 08:29 . 2009-12-02 08:27 -------- d-----w- c:\program files\QuickTime 2009-12-01 19:08 . 2009-09-16 09:41 -------- d-----w- c:\program files\NVIDIA Corporation 2009-12-01 18:39 . 2008-05-24 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\Brad\Application Data\Malwarebytes 2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-21 04:32 . 2009-11-21 04:32 278120 ----a-w- c:\windows\system32\nvmccs.dll 2009-11-21 04:32 . 2009-11-21 04:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe 2009-11-21 04:32 . 2009-11-21 04:32 145000 ----a-w- c:\windows\system32\nvcolor.exe 2009-11-21 04:32 . 2009-11-21 04:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll 2009-11-21 04:32 . 2009-11-21 04:32 110184 ----a-w- c:\windows\system32\nvmctray.dll 2009-11-21 04:32 . 2009-11-21 04:32 81920 ----a-w- c:\windows\system32\nvwddi.dll 2009-11-20 05:42 . 2007-06-29 07:39 592488 ----a-w- c:\windows\system32\NVUNINST.EXE 2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-11-04 07:25 . 2009-11-04 07:25 152576 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-04 07:25 . 2009-11-04 07:25 79488 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-03 04:42 . 2009-10-03 05:32 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-29 07:45 . 2004-08-04 07:56 916480 ------w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-11 12:17 . 2008-12-10 23:10 411368 ----a-w- c:\windows\system32\deploytk.dll . ((((((((((((((((((((((((((((( SnapShot@2010-01-09_09.09.53 ))))))))))))))))))))))))))))))))))))))))) . + 2010-01-09 09:58 . 2010-01-09 09:58 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2007-03-05 1103480] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856] "Steam"="d:\steam\Steam.exe" [2009-10-31 1217808] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056] "razertra"="c:\program files\Razer\razertra.exe" [2005-04-07 114688] "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "CTHelper"="CTHELPER.EXE" [2006-08-11 17920] "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" [2010-01-09 1394000] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "d:\\games\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Trillian\\users\\default\\downloads\\MSN\\dalimar@hotmail.com\\PONG.exe"= "d:\\games\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"= "d:\\files\\WoW\\WoW-2.0.0.5610-enUS-Installer-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5610-to-2.0.0.5665-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5665-to-2.0.0.5666-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5666-to-2.0.0.5849-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5849-to-2.0.0.5894-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5894-to-2.0.0.5921-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5921-to-2.0.0.5965-enUS-downloader.exe"= "d:\\games\\Dawn of War - Dark Crusade\\DarkCrusade.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\games\\World of Warcraft\\Repair.exe"= "d:\\games\\World of Warcraft\\BackgroundDownloader.exe"= "d:\\games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"= "d:\\games\\Warhammer\\Warhammer.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"= "d:\\games\\SupremeCommander\\Supreme Commander\\bin\\SupremeCommander.exe"= "d:\\games\\SupremeCommander\\GPGNet\\GPG.Multiplayer.Client.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"= "d:\\games\\World in Conflict - BETA\\wic.exe"= "d:\\games\\World in Conflict\\wic.exe"= "d:\\games\\World in Conflict\\wic_online.exe"= "d:\\games\\World in Conflict\\wic_ds.exe"= "d:\\games\\EVE\\bin\\ExeFile.exe"= "c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "d:\\games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"= "d:\\games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "d:\\games\\RelicCOH.exe"= "d:\\games\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "d:\\games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "d:\\games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"= "d:\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"= "d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"= "c:\\Program Files\\Motorola Media Link\\MML.exe"= "d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"= "c:\\Program Files\\iTunes\\iTunesHelper.exe"= "c:\\Program Files\\Windows Defender\\MsMpEng.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6112:TCP"= 6112:TCP:WarCraft III Battle.net "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6881:TCP"= 6881:TCP:Blizzard Downloader: 6881 "67:UDP"= 67:UDP:DHCP Discovery Service R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2008 1:17 PM 717296] R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [10/19/2009 3:48 PM 87336] R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 11:43 AM 204800] R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/20/2009 7:44 PM 91392] R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [8/11/2006 1:56 PM 8192] R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [3/20/2005 7:33 PM 13225] S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys --> c:\windows\system32\DRIVERS\d347bus.sys [?] S0 d347prt;d347prt;c:\windows\system32\Drivers\d347prt.sys --> c:\windows\system32\Drivers\d347prt.sys [?] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] S3 09cca938-75a4-4baa-9a1c-bebf595b931a;09cca938-75a4-4baa-9a1c-bebf595b931a;\??\f:\cds300\cds300.dll --> f:\cds300\cds300.dll [?] S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?] . Contents of the 'Scheduled Tasks' folder 2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html Trusted Zone: hotmail.com\www . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-09 01:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys nvraid.sys hal.dll ACPI.sys sdcplh.sys >>UNKNOWN [0x8A93A1F8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28 \Driver\ACPI -> ACPI.sys @ 0xb7e67cb8 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84 NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xb7cbfbb0 PacketIndicateHandler -> NDIS.sys @ 0xb7ccca21 SendHandler -> NDIS.sys @ 0xb7caa87b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID] @Denied: (Full) (LocalSystem) [HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:a0,86,cd,24,32,32,4a,2f,78,41,09,69,6b,e3,62,78,65,35,a5,fe,1b,8c,78, 3b,6a,5a,2f,19,03,49,2a,47,dd,04,83,cb,a1,ca,26,e5,50,82,49,71,53,0c,a3,16,\ "??"=hex:fa,70,e3,3a,97,0a,02,56,14,59,03,c8,9a,70,fc,62 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3636) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\system32\RUNDLL32.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\java.exe c:\windows\system32\PnkBstrB.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Motorola\MotoConnectService\MotoConnect.exe c:\windows\system32\Tablet.exe c:\windows\system32\UAService.exe c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Windows Media Player\WMPNetwk.exe . ************************************************************************** . Completion time: 2010-01-09 02:02:36 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-09 10:02 ComboFix2.txt 2010-01-09 09:30 ComboFix3.txt 2010-01-09 09:13 Pre-Run: 13,914,271,744 bytes free Post-Run: 13,871,517,696 bytes free - - End Of File - - 5E357C46EE98E8C62A7750A4611E6F4A -------------------------------- ComboFix 10-01-04.01 - Brad 01/09/2010 1:51.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1629 [GMT -8:00] Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\SIntf16.dll . ((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 ))))))))))))))))))))))))))))))) . 2010-01-09 08:26 . 2010-01-09 08:26 -------- d-----w- C:\VundoFix Backups 2010-01-09 08:22 . 2010-01-09 08:22 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Threat Expert 2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\Brad\Application Data\motorola 2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\motorola 2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\program files\Common Files\Nero 2009-12-21 03:25 . 2010-01-09 09:58 -------- d-----w- c:\program files\Motorola Media Link 2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero 2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Motorola 2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Motorola 2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Common Files\Motorola Shared 2009-12-21 03:19 . 2009-12-21 03:19 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Downloaded Installations . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-09 09:58 . 2006-03-08 19:55 13985 ----a-w- c:\windows\system32\tablet.dat 2010-01-09 09:32 . 2009-12-01 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-09 09:27 . 2005-03-28 02:21 -------- d-----w- c:\program files\Trillian 2010-01-09 08:41 . 2008-07-09 22:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-01-09 08:13 . 2008-12-03 02:14 -------- d-----w- c:\program files\Windows Live Safety Center 2010-01-08 00:07 . 2009-12-01 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-08 00:07 . 2009-12-01 18:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-06 08:50 . 2005-03-21 03:00 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-01-03 03:29 . 2009-12-05 20:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-02 07:56 . 2009-09-13 10:50 306672 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-12-02 18:30 . 2005-06-07 22:05 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer 2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\program files\iTunes 2009-12-02 08:32 . 2005-10-20 23:45 -------- d-----w- c:\program files\iPod 2009-12-02 08:32 . 2007-07-18 02:44 -------- d-----w- c:\program files\Common Files\Apple 2009-12-02 08:29 . 2009-12-02 08:27 -------- d-----w- c:\program files\QuickTime 2009-12-01 19:08 . 2009-09-16 09:41 -------- d-----w- c:\program files\NVIDIA Corporation 2009-12-01 18:39 . 2008-05-24 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\Brad\Application Data\Malwarebytes 2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-21 04:32 . 2009-11-21 04:32 278120 ----a-w- c:\windows\system32\nvmccs.dll 2009-11-21 04:32 . 2009-11-21 04:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe 2009-11-21 04:32 . 2009-11-21 04:32 145000 ----a-w- c:\windows\system32\nvcolor.exe 2009-11-21 04:32 . 2009-11-21 04:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll 2009-11-21 04:32 . 2009-11-21 04:32 110184 ----a-w- c:\windows\system32\nvmctray.dll 2009-11-21 04:32 . 2009-11-21 04:32 81920 ----a-w- c:\windows\system32\nvwddi.dll 2009-11-20 05:42 . 2007-06-29 07:39 592488 ----a-w- c:\windows\system32\NVUNINST.EXE 2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-11-04 07:25 . 2009-11-04 07:25 152576 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-04 07:25 . 2009-11-04 07:25 79488 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-03 04:42 . 2009-10-03 05:32 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-29 07:45 . 2004-08-04 07:56 916480 ------w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-11 12:17 . 2008-12-10 23:10 411368 ----a-w- c:\windows\system32\deploytk.dll . ((((((((((((((((((((((((((((( SnapShot@2010-01-09_09.09.53 ))))))))))))))))))))))))))))))))))))))))) . + 2010-01-09 09:58 . 2010-01-09 09:58 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2007-03-05 1103480] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856] "Steam"="d:\steam\Steam.exe" [2009-10-31 1217808] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056] "razertra"="c:\program files\Razer\razertra.exe" [2005-04-07 114688] "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "CTHelper"="CTHELPER.EXE" [2006-08-11 17920] "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" [2010-01-09 1394000] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "d:\\games\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Trillian\\users\\default\\downloads\\MSN\\dalimar@hotmail.com\\PONG.exe"= "d:\\games\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"= "d:\\files\\WoW\\WoW-2.0.0.5610-enUS-Installer-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5610-to-2.0.0.5665-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5665-to-2.0.0.5666-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5666-to-2.0.0.5849-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5849-to-2.0.0.5894-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5894-to-2.0.0.5921-enUS-downloader.exe"= "d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5921-to-2.0.0.5965-enUS-downloader.exe"= "d:\\games\\Dawn of War - Dark Crusade\\DarkCrusade.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\games\\World of Warcraft\\Repair.exe"= "d:\\games\\World of Warcraft\\BackgroundDownloader.exe"= "d:\\games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"= "d:\\games\\Warhammer\\Warhammer.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"= "d:\\games\\SupremeCommander\\Supreme Commander\\bin\\SupremeCommander.exe"= "d:\\games\\SupremeCommander\\GPGNet\\GPG.Multiplayer.Client.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"= "d:\\games\\World in Conflict - BETA\\wic.exe"= "d:\\games\\World in Conflict\\wic.exe"= "d:\\games\\World in Conflict\\wic_online.exe"= "d:\\games\\World in Conflict\\wic_ds.exe"= "d:\\games\\EVE\\bin\\ExeFile.exe"= "c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "d:\\games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"= "d:\\games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "d:\\games\\RelicCOH.exe"= "d:\\games\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "d:\\games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "d:\\games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"= "d:\\games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"= "d:\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"= "d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"= "c:\\Program Files\\Motorola Media Link\\MML.exe"= "d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"= "c:\\Program Files\\iTunes\\iTunesHelper.exe"= "c:\\Program Files\\Windows Defender\\MsMpEng.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6112:TCP"= 6112:TCP:WarCraft III Battle.net "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6881:TCP"= 6881:TCP:Blizzard Downloader: 6881 "67:UDP"= 67:UDP:DHCP Discovery Service R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2008 1:17 PM 717296] R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [10/19/2009 3:48 PM 87336] R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 11:43 AM 204800] R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/20/2009 7:44 PM 91392] R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [8/11/2006 1:56 PM 8192] R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [3/20/2005 7:33 PM 13225] S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys --> c:\windows\system32\DRIVERS\d347bus.sys [?] S0 d347prt;d347prt;c:\windows\system32\Drivers\d347prt.sys --> c:\windows\system32\Drivers\d347prt.sys [?] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] S3 09cca938-75a4-4baa-9a1c-bebf595b931a;09cca938-75a4-4baa-9a1c-bebf595b931a;\??\f:\cds300\cds300.dll --> f:\cds300\cds300.dll [?] S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?] . Contents of the 'Scheduled Tasks' folder 2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html Trusted Zone: hotmail.com\www . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-09 01:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys nvraid.sys hal.dll ACPI.sys sdcplh.sys >>UNKNOWN [0x8A93A1F8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28 \Driver\ACPI -> ACPI.sys @ 0xb7e67cb8 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84 NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xb7cbfbb0 PacketIndicateHandler -> NDIS.sys @ 0xb7ccca21 SendHandler -> NDIS.sys @ 0xb7caa87b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID] @Denied: (Full) (LocalSystem) [HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:a0,86,cd,24,32,32,4a,2f,78,41,09,69,6b,e3,62,78,65,35,a5,fe,1b,8c,78, 3b,6a,5a,2f,19,03,49,2a,47,dd,04,83,cb,a1,ca,26,e5,50,82,49,71,53,0c,a3,16,\ "??"=hex:fa,70,e3,3a,97,0a,02,56,14,59,03,c8,9a,70,fc,62 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3636) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\system32\RUNDLL32.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\java.exe c:\windows\system32\PnkBstrB.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Motorola\MotoConnectService\MotoConnect.exe c:\windows\system32\Tablet.exe c:\windows\system32\UAService.exe c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Windows Media Player\WMPNetwk.exe . ************************************************************************** . Completion time: 2010-01-09 02:02:36 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-09 10:02 ComboFix2.txt 2010-01-09 09:30 ComboFix3.txt 2010-01-09 09:13 Pre-Run: 13,914,271,744 bytes free Post-Run: 13,871,517,696 bytes free - - End Of File - - 5E357C46EE98E8C62A7750A4611E6F4A
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.