Jump to content

Vundo infection

Darsolan

By Darsolan
in Resolved Malware Removal Logs

 Share

Recommended Posts

Darsolan

Darsolan

Posted
Posted

Ok, so this morning I got a warning from windows defender that I had Vundo.me and later Vundo.H. Of course at that point it had deleted malewarebytes exe file so I had to leave it till this evening.

Upon going over the forums I ended up running Combofix, (I know now I should have waited), got the renamed exe file, and supposedly cleaned out the virus (according to malewarebytes). I did not however run any of the script files into combofix, since I saw that I shouldnt be running it as it was running.

So at this point I wanted to link my logs to see if anything else is left over. I did run "combofix /uninstall" and windows defender came up clean. At the time of this writing Kaspersky Online Scanner 7 is running for critical locations. Going to crash for the night, check in later, thanks in advance.

-B

----------------------------------------

Malwarebytes' Anti-Malware 1.44

Database version: 3526

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/9/2010 2:08:12 AM

mbam-log-2010-01-09 (02-08-12).txt

Scan type: Quick Scan

Objects scanned: 118150

Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------------------------------------------------

ComboFix 10-01-04.01 - Brad 01/09/2010 1:51.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1629 [GMT -8:00]

Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\SIntf16.dll

.

((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))

.

2010-01-09 08:26 . 2010-01-09 08:26 -------- d-----w- C:\VundoFix Backups

2010-01-09 08:22 . 2010-01-09 08:22 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Threat Expert

2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\Brad\Application Data\motorola

2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\motorola

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\program files\Common Files\Nero

2009-12-21 03:25 . 2010-01-09 09:58 -------- d-----w- c:\program files\Motorola Media Link

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Motorola

2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Motorola

2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Common Files\Motorola Shared

2009-12-21 03:19 . 2009-12-21 03:19 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Downloaded Installations

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-09 09:58 . 2006-03-08 19:55 13985 ----a-w- c:\windows\system32\tablet.dat

2010-01-09 09:32 . 2009-12-01 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-09 09:27 . 2005-03-28 02:21 -------- d-----w- c:\program files\Trillian

2010-01-09 08:41 . 2008-07-09 22:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-09 08:13 . 2008-12-03 02:14 -------- d-----w- c:\program files\Windows Live Safety Center

2010-01-08 00:07 . 2009-12-01 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-08 00:07 . 2009-12-01 18:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-06 08:50 . 2005-03-21 03:00 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-03 03:29 . 2009-12-05 20:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-02 07:56 . 2009-09-13 10:50 306672 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-02 18:30 . 2005-06-07 22:05 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer

2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\program files\iTunes

2009-12-02 08:32 . 2005-10-20 23:45 -------- d-----w- c:\program files\iPod

2009-12-02 08:32 . 2007-07-18 02:44 -------- d-----w- c:\program files\Common Files\Apple

2009-12-02 08:29 . 2009-12-02 08:27 -------- d-----w- c:\program files\QuickTime

2009-12-01 19:08 . 2009-09-16 09:41 -------- d-----w- c:\program files\NVIDIA Corporation

2009-12-01 18:39 . 2008-05-24 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\Brad\Application Data\Malwarebytes

2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-21 04:32 . 2009-11-21 04:32 278120 ----a-w- c:\windows\system32\nvmccs.dll

2009-11-21 04:32 . 2009-11-21 04:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2009-11-21 04:32 . 2009-11-21 04:32 145000 ----a-w- c:\windows\system32\nvcolor.exe

2009-11-21 04:32 . 2009-11-21 04:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

2009-11-21 04:32 . 2009-11-21 04:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

2009-11-21 04:32 . 2009-11-21 04:32 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-11-20 05:42 . 2007-06-29 07:39 592488 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-11-04 07:25 . 2009-11-04 07:25 152576 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-04 07:25 . 2009-11-04 07:25 79488 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-03 04:42 . 2009-10-03 05:32 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:45 . 2004-08-04 07:56 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-11 12:17 . 2008-12-10 23:10 411368 ----a-w- c:\windows\system32\deploytk.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-01-09_09.09.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-09 09:58 . 2010-01-09 09:58 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2007-03-05 1103480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]

"Steam"="d:\steam\Steam.exe" [2009-10-31 1217808]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]

"razertra"="c:\program files\Razer\razertra.exe" [2005-04-07 114688]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" [2010-01-09 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"d:\\games\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Trillian\\users\\default\\downloads\\MSN\\dalimar@hotmail.com\\PONG.exe"=

"d:\\games\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"=

"d:\\files\\WoW\\WoW-2.0.0.5610-enUS-Installer-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5610-to-2.0.0.5665-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5665-to-2.0.0.5666-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5666-to-2.0.0.5849-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5849-to-2.0.0.5894-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5894-to-2.0.0.5921-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5921-to-2.0.0.5965-enUS-downloader.exe"=

"d:\\games\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\games\\World of Warcraft\\Repair.exe"=

"d:\\games\\World of Warcraft\\BackgroundDownloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=

"d:\\games\\Warhammer\\Warhammer.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"d:\\games\\SupremeCommander\\Supreme Commander\\bin\\SupremeCommander.exe"=

"d:\\games\\SupremeCommander\\GPGNet\\GPG.Multiplayer.Client.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=

"d:\\games\\World in Conflict - BETA\\wic.exe"=

"d:\\games\\World in Conflict\\wic.exe"=

"d:\\games\\World in Conflict\\wic_online.exe"=

"d:\\games\\World in Conflict\\wic_ds.exe"=

"d:\\games\\EVE\\bin\\ExeFile.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"d:\\games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=

"d:\\games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"d:\\games\\RelicCOH.exe"=

"d:\\games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"d:\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=

"d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

"c:\\Program Files\\Motorola Media Link\\MML.exe"=

"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6112:TCP"= 6112:TCP:WarCraft III Battle.net

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2008 1:17 PM 717296]

R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [10/19/2009 3:48 PM 87336]

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 11:43 AM 204800]

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/20/2009 7:44 PM 91392]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [8/11/2006 1:56 PM 8192]

R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [3/20/2005 7:33 PM 13225]

S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys --> c:\windows\system32\DRIVERS\d347bus.sys [?]

S0 d347prt;d347prt;c:\windows\system32\Drivers\d347prt.sys --> c:\windows\system32\Drivers\d347prt.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 09cca938-75a4-4baa-9a1c-bebf595b931a;09cca938-75a4-4baa-9a1c-bebf595b931a;\??\f:\cds300\cds300.dll --> f:\cds300\cds300.dll [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

Trusted Zone: hotmail.com\www

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-09 01:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys nvraid.sys hal.dll ACPI.sys sdcplh.sys >>UNKNOWN [0x8A93A1F8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28

\Driver\ACPI -> ACPI.sys @ 0xb7e67cb8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xb7cbfbb0

PacketIndicateHandler -> NDIS.sys @ 0xb7ccca21

SendHandler -> NDIS.sys @ 0xb7caa87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:a0,86,cd,24,32,32,4a,2f,78,41,09,69,6b,e3,62,78,65,35,a5,fe,1b,8c,78,

3b,6a,5a,2f,19,03,49,2a,47,dd,04,83,cb,a1,ca,26,e5,50,82,49,71,53,0c,a3,16,\

"??"=hex:fa,70,e3,3a,97,0a,02,56,14,59,03,c8,9a,70,fc,62

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3636)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\java.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Motorola\MotoConnectService\MotoConnect.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\UAService.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

.

**************************************************************************

.

Completion time: 2010-01-09 02:02:36 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-09 10:02

ComboFix2.txt 2010-01-09 09:30

ComboFix3.txt 2010-01-09 09:13

Pre-Run: 13,914,271,744 bytes free

Post-Run: 13,871,517,696 bytes free

- - End Of File - - 5E357C46EE98E8C62A7750A4611E6F4A

--------------------------------

ComboFix 10-01-04.01 - Brad 01/09/2010 1:51.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1629 [GMT -8:00]

Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\SIntf16.dll

.

((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))

.

2010-01-09 08:26 . 2010-01-09 08:26 -------- d-----w- C:\VundoFix Backups

2010-01-09 08:22 . 2010-01-09 08:22 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Threat Expert

2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\Brad\Application Data\motorola

2009-12-21 18:22 . 2009-12-21 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\motorola

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\program files\Common Files\Nero

2009-12-21 03:25 . 2010-01-09 09:58 -------- d-----w- c:\program files\Motorola Media Link

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-12-21 03:25 . 2009-12-21 03:25 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Motorola

2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Motorola

2009-12-21 03:24 . 2009-12-21 03:24 -------- d-----w- c:\program files\Common Files\Motorola Shared

2009-12-21 03:19 . 2009-12-21 03:19 -------- d-----w- c:\documents and settings\Brad\Local Settings\Application Data\Downloaded Installations

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-09 09:58 . 2006-03-08 19:55 13985 ----a-w- c:\windows\system32\tablet.dat

2010-01-09 09:32 . 2009-12-01 18:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-09 09:27 . 2005-03-28 02:21 -------- d-----w- c:\program files\Trillian

2010-01-09 08:41 . 2008-07-09 22:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-09 08:13 . 2008-12-03 02:14 -------- d-----w- c:\program files\Windows Live Safety Center

2010-01-08 00:07 . 2009-12-01 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-08 00:07 . 2009-12-01 18:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-06 08:50 . 2005-03-21 03:00 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-03 03:29 . 2009-12-05 20:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-02 07:56 . 2009-09-13 10:50 306672 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-12-02 18:30 . 2005-06-07 22:05 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer

2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-02 08:33 . 2009-12-02 08:32 -------- d-----w- c:\program files\iTunes

2009-12-02 08:32 . 2005-10-20 23:45 -------- d-----w- c:\program files\iPod

2009-12-02 08:32 . 2007-07-18 02:44 -------- d-----w- c:\program files\Common Files\Apple

2009-12-02 08:29 . 2009-12-02 08:27 -------- d-----w- c:\program files\QuickTime

2009-12-01 19:08 . 2009-09-16 09:41 -------- d-----w- c:\program files\NVIDIA Corporation

2009-12-01 18:39 . 2008-05-24 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\Brad\Application Data\Malwarebytes

2009-12-01 18:38 . 2009-12-01 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-21 04:32 . 2009-11-21 04:32 278120 ----a-w- c:\windows\system32\nvmccs.dll

2009-11-21 04:32 . 2009-11-21 04:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe

2009-11-21 04:32 . 2009-11-21 04:32 145000 ----a-w- c:\windows\system32\nvcolor.exe

2009-11-21 04:32 . 2009-11-21 04:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

2009-11-21 04:32 . 2009-11-21 04:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

2009-11-21 04:32 . 2009-11-21 04:32 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-11-20 05:42 . 2007-06-29 07:39 592488 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-11-04 07:25 . 2009-11-04 07:25 152576 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-04 07:25 . 2009-11-04 07:25 79488 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-03 04:42 . 2009-10-03 05:32 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:45 . 2004-08-04 07:56 916480 ------w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-11 12:17 . 2008-12-10 23:10 411368 ----a-w- c:\windows\system32\deploytk.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-01-09_09.09.53 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-09 09:58 . 2010-01-09 09:58 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2007-03-05 1103480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]

"Steam"="d:\steam\Steam.exe" [2009-10-31 1217808]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]

"razertra"="c:\program files\Razer\razertra.exe" [2005-04-07 114688]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" [2010-01-09 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"d:\\games\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Trillian\\users\\default\\downloads\\MSN\\dalimar@hotmail.com\\PONG.exe"=

"d:\\games\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"=

"d:\\files\\WoW\\WoW-2.0.0.5610-enUS-Installer-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5610-to-2.0.0.5665-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5665-to-2.0.0.5666-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5666-to-2.0.0.5849-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5849-to-2.0.0.5894-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5894-to-2.0.0.5921-enUS-downloader.exe"=

"d:\\games\\Burning Crusade F&F\\WoW-2.0.0.5921-to-2.0.0.5965-enUS-downloader.exe"=

"d:\\games\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\games\\World of Warcraft\\Repair.exe"=

"d:\\games\\World of Warcraft\\BackgroundDownloader.exe"=

"d:\\games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=

"d:\\games\\Warhammer\\Warhammer.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"d:\\games\\SupremeCommander\\Supreme Commander\\bin\\SupremeCommander.exe"=

"d:\\games\\SupremeCommander\\GPGNet\\GPG.Multiplayer.Client.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=

"d:\\games\\World in Conflict - BETA\\wic.exe"=

"d:\\games\\World in Conflict\\wic.exe"=

"d:\\games\\World in Conflict\\wic_online.exe"=

"d:\\games\\World in Conflict\\wic_ds.exe"=

"d:\\games\\EVE\\bin\\ExeFile.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"d:\\games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=

"d:\\games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"d:\\games\\RelicCOH.exe"=

"d:\\games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"d:\\games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"d:\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=

"d:\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

"c:\\Program Files\\Motorola Media Link\\MML.exe"=

"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6112:TCP"= 6112:TCP:WarCraft III Battle.net

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881

"67:UDP"= 67:UDP:DHCP Discovery Service

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/13/2008 1:17 PM 717296]

R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [10/19/2009 3:48 PM 87336]

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 11:43 AM 204800]

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/20/2009 7:44 PM 91392]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [8/11/2006 1:56 PM 8192]

R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [3/20/2005 7:33 PM 13225]

S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys --> c:\windows\system32\DRIVERS\d347bus.sys [?]

S0 d347prt;d347prt;c:\windows\system32\Drivers\d347prt.sys --> c:\windows\system32\Drivers\d347prt.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 09cca938-75a4-4baa-9a1c-bebf595b931a;09cca938-75a4-4baa-9a1c-bebf595b931a;\??\f:\cds300\cds300.dll --> f:\cds300\cds300.dll [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

Trusted Zone: hotmail.com\www

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-09 01:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys nvraid.sys hal.dll ACPI.sys sdcplh.sys >>UNKNOWN [0x8A93A1F8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28

\Driver\ACPI -> ACPI.sys @ 0xb7e67cb8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xb7cbfbb0

PacketIndicateHandler -> NDIS.sys @ 0xb7ccca21

SendHandler -> NDIS.sys @ 0xb7caa87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-448539723-436374069-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:a0,86,cd,24,32,32,4a,2f,78,41,09,69,6b,e3,62,78,65,35,a5,fe,1b,8c,78,

3b,6a,5a,2f,19,03,49,2a,47,dd,04,83,cb,a1,ca,26,e5,50,82,49,71,53,0c,a3,16,\

"??"=hex:fa,70,e3,3a,97,0a,02,56,14,59,03,c8,9a,70,fc,62

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3636)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\java.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Motorola\MotoConnectService\MotoConnect.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\UAService.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

.

**************************************************************************

.

Completion time: 2010-01-09 02:02:36 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-09 10:02

ComboFix2.txt 2010-01-09 09:30

ComboFix3.txt 2010-01-09 09:13

Pre-Run: 13,914,271,744 bytes free

Post-Run: 13,871,517,696 bytes free

- - End Of File - - 5E357C46EE98E8C62A7750A4611E6F4A

Link to post
Share on other sites
Darsolan

Darsolan

Posted
  • Author
Posted

Looks like I posted my ComboFix logs twice instead of my Hijack This logs...its late.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:10:15 AM, on 1/9/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Motorola Media Link\NServiceEntry.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\java.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\UAService.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE

C:\Program Files\Razer\razertra.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\U7SjxDGOQ.exe" /runcleanupscript

O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF6956.cfxxe" /c "C:\ComboFix\C.bat"

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [steam] "D:\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186621291781

O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: DeviceMonitorService - Nero AG - C:\Program Files\Motorola Media Link\NServiceEntry.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

--

End of file - 10724 bytes

Link to post
Share on other sites
Darsolan

Darsolan

Posted
  • Author
Posted

Ok, so theres definately something still there. Kaspersky found something but I wasnt sure if it deleted it, so I downloaded AVG. AVG is finding things, but I believe they are things that are getting infected not the actually trojan thats doing it.

Saturday, January 9, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, January 09, 2010 09:14:33

Records in database: 3308111

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area Critical areas

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Documents and Settings\Brad\Start Menu\Programs\Startup

C:\Program Files

C:\WINDOWS

Scan statistics

Objects scanned 94618

Threats found 1

Infected objects found 1

Suspicious objects found 0

Scan duration 01:49:48

File name Threat Threats count

C:\WINDOWS\system32\AscConTest.dll Infected: Trojan.Win32.BHO.acvs 1

Selected area has been scanned.

-----------------------------------------------------------------------------

AVG scan found: "D:\Steam\steamapps\common\dawn of war 2\Install\gfwlivesetup.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""

AVG Rootkit found: "C:\Documents and Settings\Brad\Cookies\brad@malwarebytes[2].txt";"Hidden file";"Reboot is required to finish the action"

-----------------------------------------------------------------------------

Saturday, January 9, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, January 09, 2010 09:14:33

Records in database: 3308111

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area Critical areas

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\Documents and Settings\Brad\Start Menu\Programs\Startup

C:\Program Files

C:\WINDOWS

Scan statistics

Objects scanned 94618

Threats found 1

Infected objects found 1

Suspicious objects found 0

Scan duration 01:49:48

File name Threat Threats count

C:\WINDOWS\system32\AscConTest.dll Infected: Trojan.Win32.BHO.acvs 1

Selected area has been scanned.

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.