Jamaspad Posted September 14, 2009 ID:126327 Share Posted September 14, 2009 ComboFix 09-09-13.04 - Jason 09/13/2009 21:07.1.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.618 [GMT -4:00]Running from: c:\documents and settings\Jason\Desktop\ComboFix.exeAV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll -- Previous Run --Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll --------.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 ))))))))))))))))))))))))))))))).2009-09-13 23:53 . 2009-09-13 23:53 -------- d-----w- c:\windows\McAfee.com2009-09-13 23:41 . 2009-09-14 01:07 -------- d--h--w- c:\windows\PIF2009-09-13 23:11 . 2009-09-13 23:11 -------- d-----w- c:\program files\Trend Micro2009-09-13 23:00 . 2009-09-13 23:00 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE2009-09-13 22:58 . 2009-09-13 22:58 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2009-09-13 22:28 . 2009-09-13 22:28 -------- d-----w- c:\documents and settings\Jason\Application Data\Malwarebytes2009-09-13 22:28 . 2009-09-13 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-09-13 22:28 . 2009-09-14 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-09-13 21:53 . 2009-09-13 21:53 -------- d-----w- c:\documents and settings\All Users\AVP 20092009-09-13 18:44 . 2009-07-08 17:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys2009-09-13 18:44 . 2009-07-08 17:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys2009-09-13 18:44 . 2009-07-08 17:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys2009-09-13 18:44 . 2009-07-16 16:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys2009-09-13 18:43 . 2009-09-13 18:44 -------- d-----w- c:\program files\Common Files\McAfee2009-09-13 18:43 . 2009-09-13 18:43 -------- d-----w- c:\program files\McAfee.com2009-09-13 18:43 . 2009-09-14 00:50 -------- d-----w- c:\program files\McAfee2009-09-13 18:41 . 2009-07-08 17:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys2009-09-13 18:01 . 2009-09-13 18:01 -------- d-----w- c:\documents and settings\Jason\Application Data\CallingID2009-09-13 18:00 . 2009-09-13 18:00 -------- d-----w- c:\program files\CA2009-09-13 18:00 . 2009-09-13 18:00 -------- d-----w- c:\windows\Downloaded Installations2009-09-13 18:00 . 2009-09-13 18:31 -------- d-----w- c:\documents and settings\Jason\Application Data\comcasttb2009-09-13 18:00 . 2009-09-13 18:01 -------- d-----w- c:\program files\comcasttb2009-09-12 01:11 . 2009-09-13 18:01 -------- d-----w- c:\documents and settings\Jason\Application Data\Move Networks2009-09-10 20:54 . 2009-09-10 20:54 -------- d-----w- c:\documents and settings\Jason\Application Data\Turbine2009-09-10 20:54 . 2009-09-10 20:54 128 ----a-w- c:\documents and settings\Jason\Local Settings\Application Data\fusioncache.dat2009-09-10 20:54 . 2009-09-10 20:54 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Turbine2009-09-10 20:53 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll2009-09-10 20:53 . 2009-09-13 18:46 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\ApplicationHistory2009-09-10 20:50 . 2009-09-10 20:50 -------- d-----w- c:\windows\system32\URTTEMP2009-09-10 20:29 . 2009-09-10 20:29 -------- d-----w- c:\program files\Turbine2009-09-10 02:53 . 2009-09-10 20:23 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\PMB Files2009-09-10 02:53 . 2009-09-10 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files2009-09-10 02:52 . 2009-09-10 02:52 -------- d-----w- c:\program files\Pando Networks2009-09-09 20:14 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll2009-08-23 23:28 . 2009-08-24 00:05 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Canon Easy-PhotoPrint EX2009-08-21 03:14 . 2009-08-21 03:14 -------- d-----w- c:\documents and settings\Jason\Application Data\Apple Computer2009-08-21 03:07 . 2009-08-21 03:07 -------- d-----w- c:\program files\QuickTime2009-08-21 03:07 . 2009-08-21 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer2009-08-21 03:06 . 2009-08-21 03:06 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Apple2009-08-21 03:06 . 2009-08-21 03:06 -------- d-----w- c:\program files\Apple Software Update2009-08-21 03:06 . 2009-08-21 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple2009-08-21 03:06 . 2009-08-21 03:06 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Apple Computer2009-08-19 20:44 . 2009-08-19 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-09-14 00:10 . 2009-05-21 03:43 -------- d-----w- c:\program files\Lavasoft2009-09-14 00:10 . 2009-05-21 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft2009-09-13 20:17 . 2008-08-26 22:25 -------- d-----w- c:\documents and settings\Jason\Application Data\U32009-09-13 18:47 . 2008-08-24 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee2009-09-10 20:25 . 2008-08-24 14:52 -------- d-----w- c:\program files\Microsoft Silverlight2009-09-10 20:14 . 2008-08-24 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2009-09-04 19:02 . 2009-05-30 01:03 -------- d-----w- c:\program files\Privacy Guardian2009-09-01 00:23 . 2008-08-24 15:42 -------- d-----w- c:\program files\World of Warcraft2009-08-30 16:30 . 2009-05-17 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM2009-08-18 00:47 . 2009-04-15 00:48 -------- d-----w- c:\program files\Java2009-08-07 20:16 . 2008-08-26 14:50 -------- d-----w- c:\program files\Google2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-25 09:23 . 2009-04-10 00:11 411368 ----a-w- c:\windows\system32\deploytk.dll2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-08 17:44 . 2009-07-08 17:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll2002-09-11 14:26 . 2008-08-24 03:02 63730 -c--a-w- c:\program files\viewsonicinstruct_xp.pdf.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth II\\game.dat"="c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"="c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"59134:TCP"= 59134:TCP:Pando Media Booster"59134:UDP"= 59134:UDP:Pando Media BoosterR2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 1:49 PM 616408]S2 0300671252889445mcinstcleanup;McAfee Application Installer Cleanup (0300671252889445);c:\windows\TEMP\030067~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\030067~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]S2 gupdate1c987ea9fa65086;Google Update Service (gupdate1c987ea9fa65086);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 7:36 PM 133104]S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/23/2008 6:58 PM 33752]--- Other Services/Drivers In Memory ---*NewlyCreated* - 0300671252889445MCINSTCLEANUP[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 23:36]2009-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 23:36]2009-09-13 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-13 01:26]2009-09-13 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-13 01:26]2009-09-13 c:\windows\Tasks\MP Scheduled Scan.job- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000.- - - - ORPHANS REMOVED - - - -WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)HKCU-Run-AntiMalware_ProNET - c:\program files\AntiMalware_Pro\AntiMalware_Pro.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-09-13 21:17Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(656)c:\program files\CA\PPRT\bin\CACheck.dllc:\program files\CA\PPRT\bin\CAHook.dllc:\program files\CA\PPRT\bin\CAServer.dll- - - - - - - > 'explorer.exe'(3900)c:\windows\system32\WININET.dllc:\program files\CA\PPRT\bin\CACheck.dllc:\program files\CA\PPRT\bin\CAHook.dllc:\program files\CA\PPRT\bin\CAServer.dllc:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dllc:\windows\system32\msi.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Canon\IJPLM\ijplmsvc.exec:\program files\CA\PPRT\bin\ITMRTSVC.exec:\program files\Java\jre6\bin\jqs.exec:\progra~1\McAfee\MSC\mcmscsvc.exec:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exec:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exec:\progra~1\McAfee\VIRUSS~1\Mcshield.exec:\program files\McAfee\MPF\MpfSrv.exec:\windows\system32\nvsvc32.exec:\windows\system32\rundll32.exec:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe.**************************************************************************.Completion time: 2009-09-14 21:19 - machine was rebootedComboFix-quarantined-files.txt 2009-09-14 01:19Pre-Run: 272,058,556,416 bytes freePost-Run: 272,660,172,800 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect229 --- E O F --- 2009-09-12 03:48 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 10, 2009 Root Admin ID:140672 Share Posted October 10, 2009 Sorry for the long delay. Do you still need help with this? Link to post Share on other sites More sharing options...
Recommended Posts