dmelliott
2008-04-20, 17:26
Hello again, and thank you for being here again.
One of my malware programs says I have the trojan.fakealert, and indeed I am getting negative reports about well known files in my scans.
I looked at http://forums.spybot.info/showthread.php?t=27018&highlight=trojan.fakealert
but could not figure out how to translate the procedure to my case. I will give my scan files below.
I do have two questions. There is a link "explaining" how to save the file as CFScript. It consists of a picture of two buttons with a curser going back and forth between them. Since ComboFix.exe runs in a cmd window, there are no buttons. Also, what do I drag it into?
The SMC file is my firewall, and I turned the iTunes-iPod thing off between scans.
Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:58 AM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Internet\Sygate\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Util\SSuite\MXTask.exe
C:\WINDOWS\Explorer.EXE
D:\Internet\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\Internet\PpUpStpr\CCHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Util\SSuite\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Internet\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Internet\Java\bin\ssv.dll
O2 - BHO: CutePDF Form Filler Helper - {D41289F2-69C6-417B-897E-C653D677CBAF} - E:\CutePdf\CPFillerCo.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - D:\Internet\PpUpStpr\popuppro.dll
O4 - HKLM\..\Run: [VirusScannerPro] D:\Util\SSuite\MemCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Internet\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WheresJames Startup Manager] D:\Util\StUpMngr\StartupMgr.exe
O8 - Extra context menu item: &ieSpell Options - res://D:\Internet\IESpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Internet\IESpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Internet\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Internet\Java\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Internet\IESpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Internet\IESpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Internet\IESpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Internet\IESpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Internet\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Internet\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194674916562
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Util\Diskeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Internet\SpywrDr\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Internet\SpywrDr\pctsSvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Internet\Sygate\smc.exe
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - D:\Util\SSuite\MXTask.exe
--
End of file - 5128 bytes
ComboFix:
ComboFix 08-04-18.3 - Administrator 2008-04-20 7:41:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.684 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.
2008-04-20 02:16 . 2008-04-20 04:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 02:16 . 2008-04-20 02:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-20 01:04 . 2008-04-20 01:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 16:56 . 2008-04-13 16:56 57,436 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-13 14:50 . 2008-04-13 14:50 <DIR> d-------- C:\Program Files\iPod
2008-04-13 13:02 . 2008-04-13 13:02 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-13 04:29 . 2008-04-13 04:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tarma Installer
2008-04-09 01:37 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-09 01:34 . 2008-04-09 01:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-08 18:40 . 2008-04-08 23:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-07 08:52 . 2008-04-18 01:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 09:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 21:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 18:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 10:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-03-06 20:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
2008-02-26 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 12:54 --------- d-----w C:\Program Files\OpenType Extension
2008-01-31 18:15 29,600 ----a-w C:\WINDOWS\system32\mxntdfg.exe
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-19_23.39.55.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 14:59:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 09:28:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-03-09 22:58:55 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-20 09:32:39 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-09 22:58:55 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-20 09:32:39 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheresJames Startup Manager"="D:\Util\StUpMngr\StartupMgr.exe" [2007-05-05 19:01 475136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirusScannerPro"="D:\Util\SSuite\MemCheck.exe" [2008-02-01 03:05 173312]
"iTunesHelper"="D:\Internet\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"D:\\Internet\\iTunes\\iTunes.exe"=
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys [2001-08-17 07:19]
R3 glzmpd;glzmpd;C:\WINDOWS\system32\DRIVERS\glzmpd.sys [2001-08-27 10:18]
S3 cirrus;cirrus;C:\WINDOWS\system32\DRIVERS\cirrus.sys [2001-08-17 08:57]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 23:40:20 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- D:\Util\SpeedUp\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-08 23:40:20 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- D:\Util\SpeedUp\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 07:43:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-20 7:44:03
ComboFix-quarantined-files.txt 2008-04-20 12:43:58
ComboFix2.txt 2008-04-20 06:27:45
ComboFix3.txt 2008-04-20 04:40:22
Pre-Run: 3,127,992,320 bytes free
Post-Run: 3,118,477,312 bytes free
93
Would really apreciate help with this.
One of my malware programs says I have the trojan.fakealert, and indeed I am getting negative reports about well known files in my scans.
I looked at http://forums.spybot.info/showthread.php?t=27018&highlight=trojan.fakealert
but could not figure out how to translate the procedure to my case. I will give my scan files below.
I do have two questions. There is a link "explaining" how to save the file as CFScript. It consists of a picture of two buttons with a curser going back and forth between them. Since ComboFix.exe runs in a cmd window, there are no buttons. Also, what do I drag it into?
The SMC file is my firewall, and I turned the iTunes-iPod thing off between scans.
Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:58 AM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Internet\Sygate\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Util\SSuite\MXTask.exe
C:\WINDOWS\Explorer.EXE
D:\Internet\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\Internet\PpUpStpr\CCHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Util\SSuite\LinkScannerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Internet\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Internet\Java\bin\ssv.dll
O2 - BHO: CutePDF Form Filler Helper - {D41289F2-69C6-417B-897E-C653D677CBAF} - E:\CutePdf\CPFillerCo.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - D:\Internet\PpUpStpr\popuppro.dll
O4 - HKLM\..\Run: [VirusScannerPro] D:\Util\SSuite\MemCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Internet\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WheresJames Startup Manager] D:\Util\StUpMngr\StartupMgr.exe
O8 - Extra context menu item: &ieSpell Options - res://D:\Internet\IESpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Internet\IESpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Internet\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Internet\Java\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Internet\IESpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Internet\IESpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Internet\IESpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Internet\IESpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Internet\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Internet\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194674916562
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Util\Diskeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Internet\SpywrDr\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Internet\SpywrDr\pctsSvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Internet\Sygate\smc.exe
O23 - Service: SystemSuite Task Manager - Avanquest Software USA, Inc. - D:\Util\SSuite\MXTask.exe
--
End of file - 5128 bytes
ComboFix:
ComboFix 08-04-18.3 - Administrator 2008-04-20 7:41:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.684 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.
2008-04-20 02:16 . 2008-04-20 04:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 02:16 . 2008-04-20 02:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-20 01:04 . 2008-04-20 01:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 16:56 . 2008-04-13 16:56 57,436 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-13 14:50 . 2008-04-13 14:50 <DIR> d-------- C:\Program Files\iPod
2008-04-13 13:02 . 2008-04-13 13:02 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-13 04:29 . 2008-04-13 04:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tarma Installer
2008-04-09 01:37 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-09 01:34 . 2008-04-09 01:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-08 18:40 . 2008-04-08 23:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-07 08:52 . 2008-04-18 01:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MailWasherPro
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 09:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 21:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 18:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 10:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-03-06 20:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
2008-02-26 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 12:54 --------- d-----w C:\Program Files\OpenType Extension
2008-01-31 18:15 29,600 ----a-w C:\WINDOWS\system32\mxntdfg.exe
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-19_23.39.55.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 14:59:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 09:28:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-03-09 22:58:55 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-20 09:32:39 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-09 22:58:55 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-20 09:32:39 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheresJames Startup Manager"="D:\Util\StUpMngr\StartupMgr.exe" [2007-05-05 19:01 475136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirusScannerPro"="D:\Util\SSuite\MemCheck.exe" [2008-02-01 03:05 173312]
"iTunesHelper"="D:\Internet\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"D:\\Internet\\iTunes\\iTunes.exe"=
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\system32\drivers\cwbwdm.sys [2001-08-17 07:19]
R3 glzmpd;glzmpd;C:\WINDOWS\system32\DRIVERS\glzmpd.sys [2001-08-27 10:18]
S3 cirrus;cirrus;C:\WINDOWS\system32\DRIVERS\cirrus.sys [2001-08-17 08:57]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 23:40:20 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- D:\Util\SpeedUp\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-08 23:40:20 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- D:\Util\SpeedUp\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 07:43:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-20 7:44:03
ComboFix-quarantined-files.txt 2008-04-20 12:43:58
ComboFix2.txt 2008-04-20 06:27:45
ComboFix3.txt 2008-04-20 04:40:22
Pre-Run: 3,127,992,320 bytes free
Post-Run: 3,118,477,312 bytes free
93
Would really apreciate help with this.