Marshal
2008-03-22, 19:00
I guys, I got some serrious issues with Smithfraud on my laptop:sad:.
I have windows vista and followed some instructions with regards the removal of smithfraud.
I ran combofix and used the advanched option in Spybot, however I am ad a loss as to what to do next and would really apreciate some help from the experts.
Here is my log that combofix has generated:
ComboFix 08-03-22.1 - Reb 2008-03-22 17:16:22.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.333 [GMT 1:00]
Running from: C:\Users\Reb\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\drivers\core.cache.dsk
C:\Windows\system32\drivers\partmgrr.sys
C:\Windows\system32\drivers\rmcastt.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RMCASTT
-------\Service_rmcastt
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 14:40 --------- d-----w C:\Users\Reb\AppData\Roaming\AVG7
2008-03-22 13:19 --------- d-----w C:\Program Files\WarRock
2008-03-22 11:16 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-03-21 19:52 --------- d-----w C:\Program Files\Unlocker
2008-03-21 19:12 --------- d-----w C:\Users\Reb\AppData\Roaming\Xfire
2008-03-20 23:57 --------- d-----w C:\PROGRA~2\Xfire
2008-03-18 15:59 --------- d-----w C:\Program Files\Xfire
2008-03-15 10:42 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy
2008-03-15 10:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-13 13:13 --------- d-----w C:\Users\Reb\AppData\Roaming\uTorrent
2008-03-13 08:58 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-13 08:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-13 08:47 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-03-13 08:45 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-03-13 08:44 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-03-13 08:44 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-13 08:36 --------- d-----w C:\Program Files\Microsoft SDKs
2008-03-11 04:55 --------- d-----w C:\Program Files\Lump Tool
2008-02-26 06:52 --------- d---a-w C:\PROGRA~2\TEMP
2008-02-26 06:52 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-24 17:39 --------- d-----w C:\PROGRA~2\Lavasoft
2008-02-24 02:21 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-24 02:19 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-24 02:19 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-24 02:19 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-24 02:19 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-24 02:19 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-24 02:19 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-24 02:19 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-24 02:15 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-24 02:15 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-24 02:15 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-24 02:15 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-24 02:15 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-24 02:14 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-24 02:14 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-24 02:13 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-24 02:13 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-24 02:13 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-24 02:13 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-24 02:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-23 10:01 --------- d-----w C:\Users\Reb\AppData\Roaming\Earthsim
2008-02-23 10:01 --------- d-----w C:\PROGRA~2\Earthsim
2008-02-19 15:11 --------- d-----w C:\Program Files\Common Files\Steam
2008-02-18 13:42 --------- d-----w C:\Program Files\ATI
2008-02-09 20:19 --------- d-----w C:\PROGRA~2\avg7
2008-02-09 19:57 --------- d-----w C:\PROGRA~2\Grisoft
2008-02-02 21:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 21:54 --------- d-----w C:\Program Files\Veoh Networks
2008-02-02 17:32 --------- d-----w C:\Program Files\DivX
2008-01-31 14:13 --------- d-----w C:\Program Files\Webroot
2008-01-30 19:35 --------- d-----w C:\Users\Reb\AppData\Roaming\Webroot
2008-01-30 19:11 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-01-29 23:34 --------- d-----w C:\Users\Reb\AppData\Roaming\InstallShield
2008-01-28 16:53 --------- d-----w C:\Users\Reb\AppData\Roaming\LimeWire
2008-01-28 04:47 315,392 ----a-w C:\Windows\HideWin.exe
2008-01-28 04:40 319,984 ----a-w C:\Windows\DIFxAPI.dll
2008-01-28 04:40 --------- d-----w C:\Program Files\Realtek
2008-01-27 01:26 --------- d-----w C:\Program Files\Driver-Soft
2008-01-26 10:47 --------- d-----w C:\PROGRA~2\Apple Computer
2008-01-26 10:44 --------- d-----w C:\Users\Reb\AppData\Roaming\Yahoo!
2008-01-26 10:44 --------- d-----w C:\PROGRA~2\Yahoo!
2008-01-26 10:38 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-24 12:59 --------- d-----w C:\Program Files\Java
2007-12-01 22:11 174 --sha-w C:\Program Files\desktop.ini
2007-12-03 19:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2007-12-03 19:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2007-12-09 00:06 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-09 00:06 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-09 00:06 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="rundll32.exe" [2006-11-02 10:45 44544 C:\Windows\System32\rundll32.exe]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 07:45 815104]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 18:12 90112]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 12:11 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 12:11 81920]
"MSConfig"="C:\Windows\system32\MSCONFIG.exe" [2006-11-02 10:45 222208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Skytel"="Skytel.exe" [2007-11-20 18:15 1826816 C:\Windows\SkyTel.exe]
"RtHDVCpl"="RtHDVCpl.exe" [2007-12-17 11:02 4718592 C:\Windows\RtHDVCpl.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 20:57 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-02-09 20:57 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-06-07 12:31 819712 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-11-14 15:01 50736 C:\Program Files\Common Files\AOL\1162935776\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-06-29 16:29 176128 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-12-01 22:50 1006264 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{68F03D5E-EB23-4D13-A41E-39EDEFBD8B4C}"= UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{6000986C-783B-463C-B8E2-52992BB66098}"= TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{A8617593-8CE4-450C-9D66-C6B95C83209B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{DA8A2E31-6F65-4842-A8FD-74CA01441825}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{CCE91DDE-8E02-4F43-ACD1-5E42E8F5F79C}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{E6789982-A79C-4E1C-9601-01ADEBBBD8E8}"= Disabled:UDP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{C94A6AA5-DFA7-4935-9219-591B182DA88A}"= Disabled:TCP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{0678C884-EF29-43B1-9E9F-44CF6697BDAD}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{A62410DC-C2D0-4457-900F-5C80B89B6775}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{8D94E4FA-5BF1-440A-A519-A7135C502689}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{96EDA1EC-7431-4391-9B53-05A77C28C05C}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{1291996B-6B06-44D1-800D-443A990EF8C5}"= Disabled:UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{A14D9158-390D-476E-B374-5BED29CF6B24}"= Disabled:TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{65D01209-EDBA-4196-B910-F346E2244BC5}"= Disabled:UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{865A7ACB-A2CD-4E5E-9DA9-939A279C7D1F}"= Disabled:TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{5576A35F-04A7-45FA-BA04-EFA5E5B72396}"= Disabled:UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{6C4795E3-B2C7-4644-8CB3-20C8D52954C3}"= Disabled:TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"TCP Query User{83164EDE-7EFC-4A5B-B635-41790C93AEFD}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{2719AD85-8293-426F-8819-2A6FC58735E2}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{5759BB72-4C1D-4000-8B79-C3A83DE36211}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0718A9E6-2044-4A33-8F75-FC621EA8AAB8}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CFFB1855-D215-4BD4-A317-20A5112F5595}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{71D88A08-ACC0-48B5-8F3F-5F0507EE40E4}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C06C1362-38D5-4220-9478-D9ABA3D11738}"= UDP:C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{1032E8C4-150B-4D67-879A-3FE1D66C103D}"= TCP:C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"TCP Query User{0D434CF2-2785-4D03-A880-01D160DB64B3}C:\\program files\\sightspeed\\sightspeed.exe"= UDP:C:\program files\sightspeed\sightspeed.exe:SightSpeed
"UDP Query User{1D771082-1D00-4808-A9B0-2BC74AB61705}C:\\program files\\sightspeed\\sightspeed.exe"= TCP:C:\program files\sightspeed\sightspeed.exe:SightSpeed
"TCP Query User{6030A236-DFAD-4D3E-B8D8-640AEA14DC87}D:\\autorun.exe"= UDP:D:\autorun.exe:CD navigator
"UDP Query User{24C2E510-054A-456D-8206-626E2EBE959C}D:\\autorun.exe"= TCP:D:\autorun.exe:CD navigator
"TCP Query User{BD3D0133-87B1-4469-9700-6B95B126C132}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{C2B9C8B9-7ACF-4362-A2D7-E860B6E3B03C}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{1003A8C5-D722-4EB9-9F54-7CCE704B1E81}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{83EAC5F9-7588-4543-8FD8-57A29DF5AF04}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{92BD2583-6FD3-44DE-A8F8-B1F0ADFEB3B8}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{27ACC726-69F7-4C6D-AC8A-BCFB148AED88}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{D33BA71C-C8C0-49B0-870A-9763FBB5ACB0}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{8861F12F-0314-4843-87B2-88AC66F00802}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{8DB595EE-727B-47B8-AC7A-9B15C30FC9A1}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1A21D70E-3642-4444-A3CC-AC83D3C8CF88}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{95149847-4C5E-403F-89FA-BFBC14CD74E5}"= UDP:C:\Windows\System32\lxbccoms.exe:Lexmark Communications System
"{92B17423-107E-41F7-AADA-B2BA8A93D60E}"= TCP:C:\Windows\System32\lxbccoms.exe:Lexmark Communications System
"{F6416BE0-9539-45FF-88B5-BC336246CFCB}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbcpswx.exe:Printer Status Window
"{8B34BBBA-9212-4592-BB4E-D540A6AF89EC}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbcpswx.exe:Printer Status Window
"TCP Query User{CC5F5AEF-E0C8-4383-943A-6F3AAE226698}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{988D504B-25B8-478D-8066-23C5EB95B802}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 16:22]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]
R3 P0630VID;Creative WebCam Live!;C:\Windows\system32\DRIVERS\P0630Vid.sys [2005-06-06 02:44]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-24 14:46]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2007-09-28 14:37]
S3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);C:\Windows\system32\DRIVERS\MRVW24B.sys [2007-10-28 13:21]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-02-18 14:41]
S3 wrssweep;Webroots Volume Access Driver;C:\Program Files\Webroot\Washer\wrssweep.sys [2007-11-26 14:47]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 01:33:01 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-21 19:52:53 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Reb.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-03-22 16:23:22 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-20 02:13:26 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 17:24:14
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-03-22 17:27:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-22 16:27:39
.
2008-02-24 02:22:03 --- E O F ---
I have windows vista and followed some instructions with regards the removal of smithfraud.
I ran combofix and used the advanched option in Spybot, however I am ad a loss as to what to do next and would really apreciate some help from the experts.
Here is my log that combofix has generated:
ComboFix 08-03-22.1 - Reb 2008-03-22 17:16:22.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.333 [GMT 1:00]
Running from: C:\Users\Reb\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\drivers\core.cache.dsk
C:\Windows\system32\drivers\partmgrr.sys
C:\Windows\system32\drivers\rmcastt.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_RMCASTT
-------\Service_rmcastt
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 14:40 --------- d-----w C:\Users\Reb\AppData\Roaming\AVG7
2008-03-22 13:19 --------- d-----w C:\Program Files\WarRock
2008-03-22 11:16 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-03-21 19:52 --------- d-----w C:\Program Files\Unlocker
2008-03-21 19:12 --------- d-----w C:\Users\Reb\AppData\Roaming\Xfire
2008-03-20 23:57 --------- d-----w C:\PROGRA~2\Xfire
2008-03-18 15:59 --------- d-----w C:\Program Files\Xfire
2008-03-15 10:42 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy
2008-03-15 10:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-13 13:13 --------- d-----w C:\Users\Reb\AppData\Roaming\uTorrent
2008-03-13 08:58 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-13 08:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-13 08:47 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-03-13 08:45 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-03-13 08:44 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-03-13 08:44 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-13 08:36 --------- d-----w C:\Program Files\Microsoft SDKs
2008-03-11 04:55 --------- d-----w C:\Program Files\Lump Tool
2008-02-26 06:52 --------- d---a-w C:\PROGRA~2\TEMP
2008-02-26 06:52 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-24 17:39 --------- d-----w C:\PROGRA~2\Lavasoft
2008-02-24 02:21 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-24 02:19 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-24 02:19 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-24 02:19 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-24 02:19 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-24 02:19 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-24 02:19 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-24 02:19 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-24 02:15 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-24 02:15 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-24 02:15 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-24 02:15 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-24 02:15 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-24 02:14 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-24 02:14 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-24 02:13 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-24 02:13 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-24 02:13 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-24 02:13 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-24 02:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-23 10:01 --------- d-----w C:\Users\Reb\AppData\Roaming\Earthsim
2008-02-23 10:01 --------- d-----w C:\PROGRA~2\Earthsim
2008-02-19 15:11 --------- d-----w C:\Program Files\Common Files\Steam
2008-02-18 13:42 --------- d-----w C:\Program Files\ATI
2008-02-09 20:19 --------- d-----w C:\PROGRA~2\avg7
2008-02-09 19:57 --------- d-----w C:\PROGRA~2\Grisoft
2008-02-02 21:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 21:54 --------- d-----w C:\Program Files\Veoh Networks
2008-02-02 17:32 --------- d-----w C:\Program Files\DivX
2008-01-31 14:13 --------- d-----w C:\Program Files\Webroot
2008-01-30 19:35 --------- d-----w C:\Users\Reb\AppData\Roaming\Webroot
2008-01-30 19:11 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-01-29 23:34 --------- d-----w C:\Users\Reb\AppData\Roaming\InstallShield
2008-01-28 16:53 --------- d-----w C:\Users\Reb\AppData\Roaming\LimeWire
2008-01-28 04:47 315,392 ----a-w C:\Windows\HideWin.exe
2008-01-28 04:40 319,984 ----a-w C:\Windows\DIFxAPI.dll
2008-01-28 04:40 --------- d-----w C:\Program Files\Realtek
2008-01-27 01:26 --------- d-----w C:\Program Files\Driver-Soft
2008-01-26 10:47 --------- d-----w C:\PROGRA~2\Apple Computer
2008-01-26 10:44 --------- d-----w C:\Users\Reb\AppData\Roaming\Yahoo!
2008-01-26 10:44 --------- d-----w C:\PROGRA~2\Yahoo!
2008-01-26 10:38 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-24 12:59 --------- d-----w C:\Program Files\Java
2007-12-01 22:11 174 --sha-w C:\Program Files\desktop.ini
2007-12-03 19:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2007-12-03 19:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2007-12-09 00:06 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-09 00:06 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-09 00:06 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="rundll32.exe" [2006-11-02 10:45 44544 C:\Windows\System32\rundll32.exe]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 07:45 815104]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 18:12 90112]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 12:11 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 12:11 81920]
"MSConfig"="C:\Windows\system32\MSCONFIG.exe" [2006-11-02 10:45 222208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Skytel"="Skytel.exe" [2007-11-20 18:15 1826816 C:\Windows\SkyTel.exe]
"RtHDVCpl"="RtHDVCpl.exe" [2007-12-17 11:02 4718592 C:\Windows\RtHDVCpl.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 20:57 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-02-09 20:57 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-06-07 12:31 819712 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-11-14 15:01 50736 C:\Program Files\Common Files\AOL\1162935776\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-06-29 16:29 176128 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-12-01 22:50 1006264 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{68F03D5E-EB23-4D13-A41E-39EDEFBD8B4C}"= UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{6000986C-783B-463C-B8E2-52992BB66098}"= TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{A8617593-8CE4-450C-9D66-C6B95C83209B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{DA8A2E31-6F65-4842-A8FD-74CA01441825}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{CCE91DDE-8E02-4F43-ACD1-5E42E8F5F79C}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{E6789982-A79C-4E1C-9601-01ADEBBBD8E8}"= Disabled:UDP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{C94A6AA5-DFA7-4935-9219-591B182DA88A}"= Disabled:TCP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{0678C884-EF29-43B1-9E9F-44CF6697BDAD}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{A62410DC-C2D0-4457-900F-5C80B89B6775}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{8D94E4FA-5BF1-440A-A519-A7135C502689}"= Disabled:UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{96EDA1EC-7431-4391-9B53-05A77C28C05C}"= Disabled:TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{1291996B-6B06-44D1-800D-443A990EF8C5}"= Disabled:UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{A14D9158-390D-476E-B374-5BED29CF6B24}"= Disabled:TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{65D01209-EDBA-4196-B910-F346E2244BC5}"= Disabled:UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{865A7ACB-A2CD-4E5E-9DA9-939A279C7D1F}"= Disabled:TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{5576A35F-04A7-45FA-BA04-EFA5E5B72396}"= Disabled:UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{6C4795E3-B2C7-4644-8CB3-20C8D52954C3}"= Disabled:TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"TCP Query User{83164EDE-7EFC-4A5B-B635-41790C93AEFD}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{2719AD85-8293-426F-8819-2A6FC58735E2}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{5759BB72-4C1D-4000-8B79-C3A83DE36211}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0718A9E6-2044-4A33-8F75-FC621EA8AAB8}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CFFB1855-D215-4BD4-A317-20A5112F5595}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{71D88A08-ACC0-48B5-8F3F-5F0507EE40E4}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C06C1362-38D5-4220-9478-D9ABA3D11738}"= UDP:C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{1032E8C4-150B-4D67-879A-3FE1D66C103D}"= TCP:C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"TCP Query User{0D434CF2-2785-4D03-A880-01D160DB64B3}C:\\program files\\sightspeed\\sightspeed.exe"= UDP:C:\program files\sightspeed\sightspeed.exe:SightSpeed
"UDP Query User{1D771082-1D00-4808-A9B0-2BC74AB61705}C:\\program files\\sightspeed\\sightspeed.exe"= TCP:C:\program files\sightspeed\sightspeed.exe:SightSpeed
"TCP Query User{6030A236-DFAD-4D3E-B8D8-640AEA14DC87}D:\\autorun.exe"= UDP:D:\autorun.exe:CD navigator
"UDP Query User{24C2E510-054A-456D-8206-626E2EBE959C}D:\\autorun.exe"= TCP:D:\autorun.exe:CD navigator
"TCP Query User{BD3D0133-87B1-4469-9700-6B95B126C132}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{C2B9C8B9-7ACF-4362-A2D7-E860B6E3B03C}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{1003A8C5-D722-4EB9-9F54-7CCE704B1E81}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{83EAC5F9-7588-4543-8FD8-57A29DF5AF04}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{92BD2583-6FD3-44DE-A8F8-B1F0ADFEB3B8}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{27ACC726-69F7-4C6D-AC8A-BCFB148AED88}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{D33BA71C-C8C0-49B0-870A-9763FBB5ACB0}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{8861F12F-0314-4843-87B2-88AC66F00802}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{8DB595EE-727B-47B8-AC7A-9B15C30FC9A1}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1A21D70E-3642-4444-A3CC-AC83D3C8CF88}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{95149847-4C5E-403F-89FA-BFBC14CD74E5}"= UDP:C:\Windows\System32\lxbccoms.exe:Lexmark Communications System
"{92B17423-107E-41F7-AADA-B2BA8A93D60E}"= TCP:C:\Windows\System32\lxbccoms.exe:Lexmark Communications System
"{F6416BE0-9539-45FF-88B5-BC336246CFCB}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbcpswx.exe:Printer Status Window
"{8B34BBBA-9212-4592-BB4E-D540A6AF89EC}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbcpswx.exe:Printer Status Window
"TCP Query User{CC5F5AEF-E0C8-4383-943A-6F3AAE226698}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{988D504B-25B8-478D-8066-23C5EB95B802}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 16:22]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]
R3 P0630VID;Creative WebCam Live!;C:\Windows\system32\DRIVERS\P0630Vid.sys [2005-06-06 02:44]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-24 14:46]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2007-09-28 14:37]
S3 MRV6X32U;Marvell TOPDOG 802.11n WLAN Driver for Vista x86 (USB8x);C:\Windows\system32\DRIVERS\MRVW24B.sys [2007-10-28 13:21]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-02-18 14:41]
S3 wrssweep;Webroots Volume Access Driver;C:\Program Files\Webroot\Washer\wrssweep.sys [2007-11-26 14:47]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 01:33:01 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-21 19:52:53 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Reb.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
"2008-03-22 16:23:22 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-20 02:13:26 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 17:24:14
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-03-22 17:27:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-22 16:27:39
.
2008-02-24 02:22:03 --- E O F ---