-
That file is most likely ok, go ahead and run Combofix
-
Combofix log
ComboFix 11-01-12.04 - Troy 01/13/2011 12:30:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1453 [GMT -6:00]
Running from: c:\documents and settings\Troy\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\install.exe
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SSHNAS
((((((((((((((((((((((((( Files Created from 2010-12-13 to 2011-01-13 )))))))))))))))))))))))))))))))
.
2011-01-13 15:02 . 2011-01-13 15:02 53 ----a-w- c:\windows\sfshell.tmp
2011-01-13 04:44 . 2011-01-13 04:44 -------- d-----w- C:\_OTL
2011-01-13 00:11 . 2011-01-13 00:11 -------- d-----w- c:\documents and settings\Troy\Application Data\Malwarebytes
2011-01-13 00:11 . 2011-01-13 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-13 00:11 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-13 00:11 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-13 00:11 . 2011-01-13 00:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-09 06:25 . 2011-01-09 06:25 -------- d-----w- c:\program files\ERUNT
2011-01-09 01:55 . 2011-01-09 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-01-09 01:55 . 2011-01-09 02:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-03 00:46 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-03 00:46 . 2011-01-03 00:46 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-03 00:37 . 2011-01-03 00:37 -------- d-----w- c:\documents and settings\Troy\Local Settings\Application Data\Sunbelt Software
2011-01-03 00:36 . 2011-01-03 00:57 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-02 20:33 . 2011-01-02 20:33 -------- d-sh--w- c:\documents and settings\All Users\Application Data\PICCS
2011-01-02 20:31 . 2011-01-02 20:36 -------- d-sh--w- c:\documents and settings\All Users\Application Data\ad514e
2011-01-01 17:30 . 2010-11-22 16:22 17408 ----a-w- c:\windows\system32\drivers\MO3v2Driver.sys
2011-01-01 17:30 . 2010-10-04 15:34 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2011-01-01 17:30 . 2011-01-01 17:30 -------- d-----w- c:\program files\SteelSeries
2010-12-30 20:11 . 2010-12-30 20:11 -------- d-----w- c:\documents and settings\Troy\Local Settings\Application Data\NCH
2010-12-30 20:05 . 2010-12-30 20:05 -------- d-----w- c:\documents and settings\Troy\Application Data\Razer
2010-12-30 20:03 . 2009-04-21 23:58 11136 ----a-w- c:\windows\system32\drivers\danew.sys
2010-12-30 20:03 . 2009-12-22 03:50 5760 ----a-w- c:\windows\system32\drivers\vHidDev.sys
2010-12-30 02:15 . 2011-01-01 17:31 -------- d-----w- c:\documents and settings\Troy\Application Data\SteelSeries
2010-12-30 02:15 . 2008-03-21 19:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-12-23 23:42 . 2010-12-23 23:42 -------- d-----w- c:\program files\Ventrilo
2010-12-23 23:42 . 2010-12-23 23:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-12-16 06:05 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 06:04 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-03 22:32 . 2007-08-15 14:49 60416 -c--a-w- c:\windows\ALCFDRTM.VER
2010-11-18 18:12 . 2007-08-11 17:20 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 00:53 . 2010-08-14 14:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34 . 2008-02-04 02:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-04 05:56 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 05:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2004-08-04 05:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 05:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-03 12:25 . 2004-08-04 03:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 05:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 04:17 1853312 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Google Update"="c:\documents and settings\Troy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-25 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SW20"="c:\windows\system32\sw20.exe" [2006-12-15 208896]
"SW24"="c:\windows\system32\sw24.exe" [2006-12-15 69632]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-10-31 73728]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-12 20480]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"SteelSeries World of Warcraft Cataclysm MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe" [2010-12-23 1987072]
c:\documents and settings\Troy\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-12-20 0]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-8-17 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"e:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16939\\SC2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II Public Test.exe"=
"c:\\Documents and Settings\\Troy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\World of Warcraft\\Blizzard Downloader.exe"=
"c:\\Documents and Settings\\Troy\\Local Settings\\Apps\\2.0\\M6VKE4CO.QNE\\4WOQEQ0E.VNE\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/2/2011 6:46 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 3:05 AM 1402272]
R3 SSMO3v2Filter;MMO3v2 Mouse;c:\windows\system32\drivers\MO3v2Driver.sys [1/1/2011 11:30 AM 17408]
S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [12/30/2010 2:03 PM 11136]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [11/30/2009 3:56 PM 36608]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 3:05 AM 15264]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\DRIVERS\snp325.sys --> c:\windows\system32\DRIVERS\snp325.sys [?]
S3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [12/30/2010 2:03 PM 5760]
.
Contents of the 'Scheduled Tasks' folder
2011-01-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:04]
2011-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1454471165-725345543-1003Core.job
- c:\documents and settings\Troy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-01 08:26]
2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1454471165-725345543-1003UA.job
- c:\documents and settings\Troy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-01 08:26]
2011-01-13 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
2011-01-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-24 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Troy\Application Data\Mozilla\Firefox\Profiles\ah5v1emr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.wowhead.com/
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: AIM Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
FF - Ext: SOE Web Installer: {000F1EA4-5E08-4564-A29B-29076F63A37A} - %profile%\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-RIMDeviceManager - c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Simple File Shredder - c:\program files\Simple File Shredder\uninst.exe
AddRemove-WinLiveSuite_Wave3 - c:\program files\Windows Live\Installer\wlarp.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-13 12:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-606747145-1454471165-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\NavLogon.dll
- - - - - - - > 'explorer.exe'(3176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
e:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iTunes\iTunes.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMTray2.exe
c:\windows\system32\MsgSys.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2011-01-13 12:47:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-13 18:47
Pre-Run: 28,711,636,992 bytes free
Post-Run: 28,580,777,984 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - A706739CA96C2AD4A6342DA9FD158551
-
How are things running now ?
-
Things appear to be running just fine. The malware was redirecting all of my search engine searches to other, more than likely hazardous sites. It was also making Google search in other languages, like Danish.
Rebooting my machine seems to take half of the time it used to!
Is are there more instructions? If not, thank you!
-
Thats nice to hear 
Open OTL and click on Cleanup and it will remove the programs we used to clean your system along with there backups.
Safe Surfn
Ken
-
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
