Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Vundo infection


Recommended Posts

Ok, so this morning I got a warning from windows defender that I had Vundo.me and later Vundo.H. Of course at that point it had deleted malewarebytes exe file so I had to leave it till this evening.

Upon going over the forums I ended up running Combofix, (I know now I should have waited), got the renamed exe file, and supposedly cleaned out the virus (according to malewarebytes). I did not however run any of the script files into combofix, since I saw that I shouldnt be running it as it was running.

So at this point I wanted to link my logs to see if anything else is left over. I did run "combofix /uninstall" and windows defender came up clean. At the time of this writing Kaspersky Online Scanner 7 is running for critical locations. Going to crash for the night, check in later, thanks in advance.

-B

----------------------------------------

Malwarebytes' Anti-Malware 1.44

Database version: 3526

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/9/2010 2:08:12 AM

mbam-log-2010-01-09 (02-08-12).txt

Scan type: Quick Scan

Objects scanned: 118150

Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------------------------------------------------

ComboFix 10-01-04.01 - Brad 01/09/2010 1:51.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1629 [GMT -8:00]

Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\SIntf16.dll

.

((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))

.

2010-01-09 08:26 . 2010-01-09 08:26 -------- d-----w- C:\VundoFix Backups

2010-01-09 08:22 . 2010-01-09 08:22 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Threat Expert

2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\Brad\Application Data\motorola

2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\motorola

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\program files\Common Files\Nero

2009-12-21 03:25 . 2010-01-09 09:58 -------- d-----w- c:\program files\Motorola Media Link

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Motorola

2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Motorola

2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Common Files\Motorola Shared

2009-12-21 03:19 . 2009-12-21 03:19 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Downloaded Installations

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-09 09:58 . 2006-03-08 19:55 13985 ----a-w- c:\windows\system32\tablet.dat

2010-01-09 09:32 . 2009-12-01 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-09 09:27 . 2005-03-28 02:21 -------- d-----w- c:\program files\Trillian

2010-01-09 08:41 . 2008-07-09 22:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-09 08:13 . 2008-12-03 02:14 -------- d-----w- c:\program files\Windows Live Safety Center

2010-01-08 00:07 . 2009-12-01 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-08 00:07 . 2009-12-01 18:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-06 08:50 . 2005-03-21 03:00 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-03 03:29 . 2009-12-05 20:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-02 07:56 . 2009-09-13 10:50 306672 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-02 18:30 . 2005-06-07 22:05 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer

2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\program files\iTunes

2009-12-02 08:32 . 2005-10-20 23:45 -------- d-----w- c:\program files\iPod

2009-12-02 08:32 . 2007-07-18 02:44 -------- d-----w- c:\program files\Common Files\Apple

2009-12-02 08:29 . 2009-12-02 08:27 -------- d-----w- c:\program files\QuickTime

2009-12-01 19:08 . 2009-09-16 09:41 -------- d-----w- c:\program files\NVIDIA Corporation

2009-12-01 18:39 . 2008-05-24 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\Brad\Application Data\Malwarebytes

2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-21 04:32 . 2009-11-21 04:32 278120 ----a-w- c:\windows\system32\nvmccs.dll

2009-11-21 04:32 . 2009-11-21 04:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2009-11-21 04:32 . 2009-11-21 04:32 145000 ----a-w- c:\windows\system32\nvcolor.exe

2009-11-21 04:32 . 2009-11-21 04:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

2009-11-21 04:32 . 2009-11-21 04:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

2009-11-21 04:32 . 2009-11-21 04:32 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-11-20 05:42 . 2007-06-29 07:39 592488 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-11-04 07:25 . 2009-11-04 07:25 152576 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-04 07:25 . 2009-11-04 07:25 79488 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-03 04:42 . 2009-10-03 05:32 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:45 . 2004-08-04 07:56 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-11 12:17 . 2008-12-10 23:10 411368 ----a-w- c:\windows\system32\deploytk.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-01-09_09.09.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-09 09:58 . 2010-01-09 09:58 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2007-03-05 1103480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]

"Steam"="d:\steam\Steam.exe" [2009-10-31 1217808]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]

"razertra"="c:\program files\Razer\razertra.exe" [2005-04-07 114688]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" [2010-01-09 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"d:\\games\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Trillian\\users\\default\\downloads\\MSN\\dalimar@hotmail.com\\PONG.exe"=

"d:\\games\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"=

"d:\\files\\WoW\\WoW-2.0.0.5610-enUS-Installer-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5610-to-2.0.0.5665-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5665-to-2.0.0.5666-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5666-to-2.0.0.5849-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5849-to-2.0.0.5894-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5894-to-2.0.0.5921-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5921-to-2.0.0.5965-enUS-downloader.exe"=

"d:\\games\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\games\\World of Warcraft\\Repair.exe"=

"d:\\games\\World of Warcraft\\BackgroundDownloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=

"d:\\games\\Warhammer\\Warhammer.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"d:\\games\\SupremeCommander\\Supreme Commander\\bin\\SupremeCommander.exe"=

"d:\\games\\SupremeCommander\\GPGNet\\GPG.Multiplayer.Client.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=

"d:\\games\\World in Conflict - BETA\\wic.exe"=

"d:\\games\\World in Conflict\\wic.exe"=

"d:\\games\\World in Conflict\\wic_online.exe"=

"d:\\games\\World in Conflict\\wic_ds.exe"=

"d:\\games\\EVE\\bin\\ExeFile.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"d:\\games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=

"d:\\games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"d:\\games\\RelicCOH.exe"=

"d:\\games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"d:\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=

"d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

"c:\\Program Files\\Motorola Media Link\\MML.exe"=

"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6112:TCP"= 6112:TCP:WarCraft III Battle.net

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2008 1:17 PM 717296]

R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [10/19/2009 3:48 PM 87336]

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 11:43 AM 204800]

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/20/2009 7:44 PM 91392]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [8/11/2006 1:56 PM 8192]

R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [3/20/2005 7:33 PM 13225]

S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys --> c:\windows\system32\DRIVERS\d347bus.sys [?]

S0 d347prt;d347prt;c:\windows\system32\Drivers\d347prt.sys --> c:\windows\system32\Drivers\d347prt.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 09cca938-75a4-4baa-9a1c-bebf595b931a;09cca938-75a4-4baa-9a1c-bebf595b931a;\??\f:\cds300\cds300.dll --> f:\cds300\cds300.dll [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

Trusted Zone: hotmail.com\www

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-09 01:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys nvraid.sys hal.dll ACPI.sys sdcplh.sys >>UNKNOWN [0x8A93A1F8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28

\Driver\ACPI -> ACPI.sys @ 0xb7e67cb8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xb7cbfbb0

PacketIndicateHandler -> NDIS.sys @ 0xb7ccca21

SendHandler -> NDIS.sys @ 0xb7caa87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:a0,86,cd,24,32,32,4a,2f,78,41,09,69,6b,e3,62,78,65,35,a5,fe,1b,8c,78,

3b,6a,5a,2f,19,03,49,2a,47,dd,04,83,cb,a1,ca,26,e5,50,82,49,71,53,0c,a3,16,\

"??"=hex:fa,70,e3,3a,97,0a,02,56,14,59,03,c8,9a,70,fc,62

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3636)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\java.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Motorola\MotoConnectService\MotoConnect.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\UAService.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

.

**************************************************************************

.

Completion time: 2010-01-09 02:02:36 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-09 10:02

ComboFix2.txt 2010-01-09 09:30

ComboFix3.txt 2010-01-09 09:13

Pre-Run: 13,914,271,744 bytes free

Post-Run: 13,871,517,696 bytes free

- - End Of File - - 5E357C46EE98E8C62A7750A4611E6F4A

--------------------------------

ComboFix 10-01-04.01 - Brad 01/09/2010 1:51.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1629 [GMT -8:00]

Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\SIntf16.dll

.

((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))

.

2010-01-09 08:26 . 2010-01-09 08:26 -------- d-----w- C:\VundoFix Backups

2010-01-09 08:22 . 2010-01-09 08:22 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Threat Expert

2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\Brad\Application Data\motorola

2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\motorola

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\program files\Common Files\Nero

2009-12-21 03:25 . 2010-01-09 09:58 -------- d-----w- c:\program files\Motorola Media Link

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Motorola

2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Motorola

2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Common Files\Motorola Shared

2009-12-21 03:19 . 2009-12-21 03:19 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Downloaded Installations

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-09 09:58 . 2006-03-08 19:55 13985 ----a-w- c:\windows\system32\tablet.dat

2010-01-09 09:32 . 2009-12-01 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-09 09:27 . 2005-03-28 02:21 -------- d-----w- c:\program files\Trillian

2010-01-09 08:41 . 2008-07-09 22:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-09 08:13 . 2008-12-03 02:14 -------- d-----w- c:\program files\Windows Live Safety Center

2010-01-08 00:07 . 2009-12-01 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-08 00:07 . 2009-12-01 18:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-06 08:50 . 2005-03-21 03:00 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-03 03:29 . 2009-12-05 20:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-02 07:56 . 2009-09-13 10:50 306672 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-02 18:30 . 2005-06-07 22:05 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer

2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\program files\iTunes

2009-12-02 08:32 . 2005-10-20 23:45 -------- d-----w- c:\program files\iPod

2009-12-02 08:32 . 2007-07-18 02:44 -------- d-----w- c:\program files\Common Files\Apple

2009-12-02 08:29 . 2009-12-02 08:27 -------- d-----w- c:\program files\QuickTime

2009-12-01 19:08 . 2009-09-16 09:41 -------- d-----w- c:\program files\NVIDIA Corporation

2009-12-01 18:39 . 2008-05-24 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\Brad\Application Data\Malwarebytes

2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-21 04:32 . 2009-11-21 04:32 278120 ----a-w- c:\windows\system32\nvmccs.dll

2009-11-21 04:32 . 2009-11-21 04:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2009-11-21 04:32 . 2009-11-21 04:32 145000 ----a-w- c:\windows\system32\nvcolor.exe

2009-11-21 04:32 . 2009-11-21 04:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

2009-11-21 04:32 . 2009-11-21 04:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

2009-11-21 04:32 . 2009-11-21 04:32 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-11-20 05:42 . 2007-06-29 07:39 592488 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-11-04 07:25 . 2009-11-04 07:25 152576 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-04 07:25 . 2009-11-04 07:25 79488 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-03 04:42 . 2009-10-03 05:32 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:45 . 2004-08-04 07:56 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-11 12:17 . 2008-12-10 23:10 411368 ----a-w- c:\windows\system32\deploytk.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-01-09_09.09.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-09 09:58 . 2010-01-09 09:58 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2007-03-05 1103480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]

"Steam"="d:\steam\Steam.exe" [2009-10-31 1217808]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]

"razertra"="c:\program files\Razer\razertra.exe" [2005-04-07 114688]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" [2010-01-09 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"d:\\games\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Trillian\\users\\default\\downloads\\MSN\\dalimar@hotmail.com\\PONG.exe"=

"d:\\games\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"=

"d:\\files\\WoW\\WoW-2.0.0.5610-enUS-Installer-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5610-to-2.0.0.5665-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5665-to-2.0.0.5666-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5666-to-2.0.0.5849-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5849-to-2.0.0.5894-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5894-to-2.0.0.5921-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5921-to-2.0.0.5965-enUS-downloader.exe"=

"d:\\games\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\games\\World of Warcraft\\Repair.exe"=

"d:\\games\\World of Warcraft\\BackgroundDownloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=

"d:\\games\\Warhammer\\Warhammer.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"d:\\games\\SupremeCommander\\Supreme Commander\\bin\\SupremeCommander.exe"=

"d:\\games\\SupremeCommander\\GPGNet\\GPG.Multiplayer.Client.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=

"d:\\games\\World in Conflict - BETA\\wic.exe"=

"d:\\games\\World in Conflict\\wic.exe"=

"d:\\games\\World in Conflict\\wic_online.exe"=

"d:\\games\\World in Conflict\\wic_ds.exe"=

"d:\\games\\EVE\\bin\\ExeFile.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"d:\\games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=

"d:\\games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"d:\\games\\RelicCOH.exe"=

"d:\\games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"d:\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=

"d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

"c:\\Program Files\\Motorola Media Link\\MML.exe"=

"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6112:TCP"= 6112:TCP:WarCraft III Battle.net

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2008 1:17 PM 717296]

R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [10/19/2009 3:48 PM 87336]

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 11:43 AM 204800]

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/20/2009 7:44 PM 91392]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [8/11/2006 1:56 PM 8192]

R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [3/20/2005 7:33 PM 13225]

S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys --> c:\windows\system32\DRIVERS\d347bus.sys [?]

S0 d347prt;d347prt;c:\windows\system32\Drivers\d347prt.sys --> c:\windows\system32\Drivers\d347prt.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 09cca938-75a4-4baa-9a1c-bebf595b931a;09cca938-75a4-4baa-9a1c-bebf595b931a;\??\f:\cds300\cds300.dll --> f:\cds300\cds300.dll [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

Trusted Zone: hotmail.com\www

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-09 01:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys nvraid.sys hal.dll ACPI.sys sdcplh.sys >>UNKNOWN [0x8A93A1F8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28

\Driver\ACPI -> ACPI.sys @ 0xb7e67cb8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xb7cbfbb0

PacketIndicateHandler -> NDIS.sys @ 0xb7ccca21

SendHandler -> NDIS.sys @ 0xb7caa87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:a0,86,cd,24,32,32,4a,2f,78,41,09,69,6b,e3,62,78,65,35,a5,fe,1b,8c,78,

3b,6a,5a,2f,19,03,49,2a,47,dd,04,83,cb,a1,ca,26,e5,50,82,49,71,53,0c,a3,16,\

"??"=hex:fa,70,e3,3a,97,0a,02,56,14,59,03,c8,9a,70,fc,62

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3636)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\java.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Motorola\MotoConnectService\MotoConnect.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\UAService.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

.

**************************************************************************

.

Completion time: 2010-01-09 02:02:36 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-09 10:02

ComboFix2.txt 2010-01-09 09:30

ComboFix3.txt 2010-01-09 09:13

Pre-Run: 13,914,271,744 bytes free

Post-Run: 13,871,517,696 bytes free

- - End Of File - - 5E357C46EE98E8C62A7750A4611E6F4A

Link to post
Share on other sites

Looks like I posted my ComboFix logs twice instead of my Hijack This logs...its late.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:10:15 AM, on 1/9/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Motorola Media Link\NServiceEntry.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\java.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\UAService.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE

C:\Program Files\Razer\razertra.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" /runcleanupscript

O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF6956.cfxxe" /c "C:\ComboFix\C.bat"

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [steam] "D:\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186621291781

O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: DeviceMonitorService - Nero AG - C:\Program Files\Motorola Media Link\NServiceEntry.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

--

End of file - 10724 bytes

Link to post
Share on other sites

Ok, so theres definately something still there. Kaspersky found something but I wasnt sure if it deleted it, so I downloaded AVG. AVG is finding things, but I believe they are things that are getting infected not the actually trojan thats doing it.

Saturday, January 9, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, January 09, 2010 09:14:33

Records in database: 3308111

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area Critical areas

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Documents and Settings\Brad\Start Menu\Programs\Startup

C:\Program Files

C:\WINDOWS

Scan statistics

Objects scanned 94618

Threats found 1

Infected objects found 1

Suspicious objects found 0

Scan duration 01:49:48

File name Threat Threats count

C:\WINDOWS\system32\AscConTest.dll Infected: Trojan.Win32.BHO.acvs 1

Selected area has been scanned.

-----------------------------------------------------------------------------

AVG scan found: "D:\Steam\steamapps\common\dawn of war 2\Install\gfwlivesetup.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""

AVG Rootkit found: "C:\Documents and Settings\Brad\Cookies\brad@malwarebytes[2].txt";"Hidden file";"Reboot is required to finish the action"

-----------------------------------------------------------------------------

Saturday, January 9, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, January 09, 2010 09:14:33

Records in database: 3308111

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area Critical areas

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Documents and Settings\Brad\Start Menu\Programs\Startup

C:\Program Files

C:\WINDOWS

Scan statistics

Objects scanned 94618

Threats found 1

Infected objects found 1

Suspicious objects found 0

Scan duration 01:49:48

File name Threat Threats count

C:\WINDOWS\system32\AscConTest.dll Infected: Trojan.Win32.BHO.acvs 1

Selected area has been scanned.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.