gbrow
2008-12-24, 21:50
I have read and understand the directions given in forum thread 288. I followed the instructions for ComboFix and have run it successfully. Here is the resulting log: (I ran it before and spybot showed no problems but, as soon as I joined the system to the network, it came back)
ComboFix 08-12-23.01 - Gordon Brow 2008-12-24 11:52:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.533 [GMT -8:00]
Running from: J:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\uvobupap.ini
.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.
2008-12-24 12:19 . 2008-12-24 12:19 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-24 12:19 . 2008-12-24 12:19 1,409 --a------ c:\windows\QTFont.for
2008-12-23 10:47 . 2008-12-23 16:35 268 --a------ c:\windows\wininit.ini
2008-12-23 09:49 . 2008-12-23 12:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 09:49 . 2008-12-23 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 07:52 . 2008-12-23 07:52 <DIR> d-------- C:\VundoFix Backups
2008-12-22 11:47 . 2008-12-22 12:23 1,522 --a------ c:\windows\_isenv31.ini
2008-12-22 11:47 . 2008-12-22 12:23 521 --a------ c:\windows\_iserr31.ini
2008-12-22 11:47 . 2008-12-22 11:47 196 --a------ c:\windows\_delis32.ini
2008-12-22 11:42 . 2005-05-05 08:51 37,376 --a------ c:\windows\system32\hpz3l3xu.dll
2008-12-22 11:23 . 2008-12-22 11:24 <DIR> d-------- c:\program files\HP
2008-12-22 11:21 . 2008-12-22 11:21 <DIR> d-------- c:\documents and settings\Gordon Brow\Application Data\HP
2008-12-22 11:15 . 2008-12-22 11:15 <DIR> d-------- c:\temp\photosmart8
2008-12-22 10:52 . 2008-04-13 11:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-22 10:52 . 2008-04-13 11:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-21 12:49 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-21 12:49 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-21 12:49 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 12:49 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-21 12:48 . 2008-12-23 17:01 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-21 12:48 . 2008-12-21 12:48 <DIR> d-------- c:\documents and settings\Gordon Brow\Application Data\PC Tools
2008-12-15 12:30 . 2008-12-15 12:30 <DIR> d-------- c:\documents and settings\Gordon Brow\Application Data\Wireshark
2008-12-15 11:19 . 2008-12-15 11:20 <DIR> d-------- c:\program files\Wireshark
2008-12-15 11:19 . 2008-12-15 11:20 <DIR> d-------- c:\program files\WinPcap
2008-12-09 19:48 . 2008-12-09 19:51 <DIR> d-------- c:\temp\Cuban_Adventure
2008-12-09 19:27 . 2008-12-09 19:27 <DIR> d-------- C:\Gord
2008-12-02 09:37 . 2008-12-02 09:37 <DIR> d-------- c:\temp\Masks
2008-11-29 00:52 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-29 00:52 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 19:38 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\Azureus
2008-12-24 15:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-22 22:48 --------- d-----w c:\documents and settings\All Users\Application Data\CodedColor
2008-12-21 07:40 --------- d-----w c:\program files\Azureus
2008-12-21 07:26 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-17 19:43 5,642 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-11 01:22 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\Creative
2008-12-08 20:07 --------- d-----w c:\program files\Replay Media Catcher
2008-12-02 17:30 --------- d-----w c:\program files\Click'N Design 3D (V5)
2008-11-08 22:55 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\dvdcss
2008-11-04 20:03 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\NeroDigital™
2008-10-27 21:50 --------- d-----w c:\program files\CodedColor
2008-10-27 21:50 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\CCPublisher
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 00:44 --------- d-----w c:\program files\AwardsTrack
2008-10-23 20:59 42,027,520 ----a-w C:\bcstandardbackup.dat
2008-10-23 15:03 265 ----a-w C:\restore.bat
2008-10-23 15:03 265 ----a-w C:\Copy of restore.bat
2008-10-23 15:03 265 ----a-w C:\Copy (2) of restore.bat
2008-10-22 02:38 46,230,016 ----a-w C:\bcstandardbackup2008.dat
2008-10-22 00:10 40,978,944 ----a-w C:\thoroughbredbackup1.dat
2008-07-23 21:41 168 --sh--r c:\documents and settings\All Users\Application Data\9DD98E525E.sys
2008-09-23 22:05 57,344 --sha-w c:\windows\system32\juteruno.dll
2008-09-23 22:05 62,174 --sha-w c:\windows\system32\ruhegozi.dll
2008-09-22 23:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-24_ 8.10.00.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-24 19:06:24 98,898 --sha-w c:\windows\system32\bojigenu.dll
+ 2008-12-24 19:06:24 84,078 --sha-w c:\windows\system32\papubovu.dll
- 2008-12-24 16:02:49 16,384 ------w c:\windows\Temp\Cookies\index.dat
+ 2008-12-24 20:17:16 16,384 ------w c:\windows\Temp\Cookies\index.dat
- 2008-12-24 16:02:49 16,384 ------w c:\windows\Temp\History\History.IE5\index.dat
+ 2008-12-24 20:17:16 16,384 ------w c:\windows\Temp\History\History.IE5\index.dat
+ 2008-12-24 20:17:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_dc.dat
- 2008-12-24 16:02:49 49,152 ------w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-24 20:17:16 49,152 ------w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f45ba13-f70f-41bb-8175-d454b26845de}]
2008-09-23 14:05 62174 --ahs---- c:\windows\system32\ruhegozi.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-11-17 49152]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-02-28 132392]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-26 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-17 3022848]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-28 335872]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-16 270336]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 624248]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-23 180269]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2004-03-12 124128]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"yadabotije"="c:\windows\system32\yubihimo.dll" [BU]
"84361916"="c:\windows\system32\papubovu.dll" [2008-12-24 84078]
"CPM87052a8a"="c:\windows\system32\bojigenu.dll" [2008-12-24 98898]
"nwiz"="nwiz.exe" [2003-11-17 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-04-25 c:\windows\SOUNDMAN.EXE]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-11-17 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2006-03-20 220160]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\bojigenu.dll" [2008-12-24 98898]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bojigenu.dll [2008-12-24 98898]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
--------- 2007-11-06 10:08 397312 c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-08-26 18:48 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"54812:TCP"= 54812:TCP:Azureus
R0 lfsfilt;Lean File Sharing;c:\windows\system32\DRIVERS\lfsfilt.sys [2008-01-02 140160]
R0 lpx;LPX Protocol;c:\windows\system32\DRIVERS\lpx.sys [2006-03-20 44288]
R2 msftesql$GORDO;SQL Server FullText Search (GORDO);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:GORDO [2006-02-14 92880]
R2 MSSQL$GORDO;SQL Server (GORDO);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sGORDO [2006-04-14 28933976]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\DRIVERS\ndasbus.sys [2006-03-20 59136]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-01-01 11520]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\DRIVERS\ndasscsi.sys [2006-03-20 115584]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2004-03-12 169192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-21 356920]
S3 SQLAgent$GORDO;SQL Server Agent (GORDO);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i GORDO [2006-04-14 319776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder
2008-12-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 13:21]
2008-12-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 13:21]
2008-12-23 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
2008-12-24 c:\windows\Tasks\yoohcjor.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://btjunkie.org/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
TCP: {C39FDC77-244D-49FD-9FAB-5F7E4A9C721B} = 64.59.144.16,64.59.144.17
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Gordon Brow\Application Data\Mozilla\Firefox\Profiles\pvlw0kxx.default\
FF - prefs.js: browser.startup.homepage - hxxp://btjunkie.org/
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 12:17:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$GORDO]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:GORDO"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\NDAS\System\ndassvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\SYMANT~1\VPTray.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-24 12:24:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-24 20:23:56
ComboFix2.txt 2008-12-24 16:10:30
Pre-Run: 34,593,734,656 bytes free
Post-Run: 34,582,061,056 bytes free
227 --- E O F --- 2008-12-18 11:03:32
ComboFix 08-12-23.01 - Gordon Brow 2008-12-24 11:52:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.533 [GMT -8:00]
Running from: J:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\uvobupap.ini
.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.
2008-12-24 12:19 . 2008-12-24 12:19 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-24 12:19 . 2008-12-24 12:19 1,409 --a------ c:\windows\QTFont.for
2008-12-23 10:47 . 2008-12-23 16:35 268 --a------ c:\windows\wininit.ini
2008-12-23 09:49 . 2008-12-23 12:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 09:49 . 2008-12-23 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 07:52 . 2008-12-23 07:52 <DIR> d-------- C:\VundoFix Backups
2008-12-22 11:47 . 2008-12-22 12:23 1,522 --a------ c:\windows\_isenv31.ini
2008-12-22 11:47 . 2008-12-22 12:23 521 --a------ c:\windows\_iserr31.ini
2008-12-22 11:47 . 2008-12-22 11:47 196 --a------ c:\windows\_delis32.ini
2008-12-22 11:42 . 2005-05-05 08:51 37,376 --a------ c:\windows\system32\hpz3l3xu.dll
2008-12-22 11:23 . 2008-12-22 11:24 <DIR> d-------- c:\program files\HP
2008-12-22 11:21 . 2008-12-22 11:21 <DIR> d-------- c:\documents and settings\Gordon Brow\Application Data\HP
2008-12-22 11:15 . 2008-12-22 11:15 <DIR> d-------- c:\temp\photosmart8
2008-12-22 10:52 . 2008-04-13 11:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-22 10:52 . 2008-04-13 11:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-21 12:49 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-21 12:49 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-21 12:49 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-21 12:49 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-21 12:48 . 2008-12-23 17:01 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-21 12:48 . 2008-12-21 12:48 <DIR> d-------- c:\documents and settings\Gordon Brow\Application Data\PC Tools
2008-12-15 12:30 . 2008-12-15 12:30 <DIR> d-------- c:\documents and settings\Gordon Brow\Application Data\Wireshark
2008-12-15 11:19 . 2008-12-15 11:20 <DIR> d-------- c:\program files\Wireshark
2008-12-15 11:19 . 2008-12-15 11:20 <DIR> d-------- c:\program files\WinPcap
2008-12-09 19:48 . 2008-12-09 19:51 <DIR> d-------- c:\temp\Cuban_Adventure
2008-12-09 19:27 . 2008-12-09 19:27 <DIR> d-------- C:\Gord
2008-12-02 09:37 . 2008-12-02 09:37 <DIR> d-------- c:\temp\Masks
2008-11-29 00:52 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-29 00:52 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 19:38 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\Azureus
2008-12-24 15:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-22 22:48 --------- d-----w c:\documents and settings\All Users\Application Data\CodedColor
2008-12-21 07:40 --------- d-----w c:\program files\Azureus
2008-12-21 07:26 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-17 19:43 5,642 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-11 01:22 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\Creative
2008-12-08 20:07 --------- d-----w c:\program files\Replay Media Catcher
2008-12-02 17:30 --------- d-----w c:\program files\Click'N Design 3D (V5)
2008-11-08 22:55 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\dvdcss
2008-11-04 20:03 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\NeroDigital™
2008-10-27 21:50 --------- d-----w c:\program files\CodedColor
2008-10-27 21:50 --------- d-----w c:\documents and settings\Gordon Brow\Application Data\CCPublisher
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 00:44 --------- d-----w c:\program files\AwardsTrack
2008-10-23 20:59 42,027,520 ----a-w C:\bcstandardbackup.dat
2008-10-23 15:03 265 ----a-w C:\restore.bat
2008-10-23 15:03 265 ----a-w C:\Copy of restore.bat
2008-10-23 15:03 265 ----a-w C:\Copy (2) of restore.bat
2008-10-22 02:38 46,230,016 ----a-w C:\bcstandardbackup2008.dat
2008-10-22 00:10 40,978,944 ----a-w C:\thoroughbredbackup1.dat
2008-07-23 21:41 168 --sh--r c:\documents and settings\All Users\Application Data\9DD98E525E.sys
2008-09-23 22:05 57,344 --sha-w c:\windows\system32\juteruno.dll
2008-09-23 22:05 62,174 --sha-w c:\windows\system32\ruhegozi.dll
2008-09-22 23:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-24_ 8.10.00.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-24 19:06:24 98,898 --sha-w c:\windows\system32\bojigenu.dll
+ 2008-12-24 19:06:24 84,078 --sha-w c:\windows\system32\papubovu.dll
- 2008-12-24 16:02:49 16,384 ------w c:\windows\Temp\Cookies\index.dat
+ 2008-12-24 20:17:16 16,384 ------w c:\windows\Temp\Cookies\index.dat
- 2008-12-24 16:02:49 16,384 ------w c:\windows\Temp\History\History.IE5\index.dat
+ 2008-12-24 20:17:16 16,384 ------w c:\windows\Temp\History\History.IE5\index.dat
+ 2008-12-24 20:17:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_dc.dat
- 2008-12-24 16:02:49 49,152 ------w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-24 20:17:16 49,152 ------w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8f45ba13-f70f-41bb-8175-d454b26845de}]
2008-09-23 14:05 62174 --ahs---- c:\windows\system32\ruhegozi.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-11-17 49152]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-02-28 132392]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-26 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-17 3022848]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-28 335872]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-16 270336]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 624248]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-23 180269]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2004-03-12 124128]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"yadabotije"="c:\windows\system32\yubihimo.dll" [BU]
"84361916"="c:\windows\system32\papubovu.dll" [2008-12-24 84078]
"CPM87052a8a"="c:\windows\system32\bojigenu.dll" [2008-12-24 98898]
"nwiz"="nwiz.exe" [2003-11-17 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-04-25 c:\windows\SOUNDMAN.EXE]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-11-17 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2006-03-20 220160]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\bojigenu.dll" [2008-12-24 98898]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bojigenu.dll [2008-12-24 98898]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
--------- 2007-11-06 10:08 397312 c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-08-26 18:48 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"54812:TCP"= 54812:TCP:Azureus
R0 lfsfilt;Lean File Sharing;c:\windows\system32\DRIVERS\lfsfilt.sys [2008-01-02 140160]
R0 lpx;LPX Protocol;c:\windows\system32\DRIVERS\lpx.sys [2006-03-20 44288]
R2 msftesql$GORDO;SQL Server FullText Search (GORDO);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:GORDO [2006-02-14 92880]
R2 MSSQL$GORDO;SQL Server (GORDO);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sGORDO [2006-04-14 28933976]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\DRIVERS\ndasbus.sys [2006-03-20 59136]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-01-01 11520]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\DRIVERS\ndasscsi.sys [2006-03-20 115584]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2004-03-12 169192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-21 356920]
S3 SQLAgent$GORDO;SQL Server Agent (GORDO);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i GORDO [2006-04-14 319776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder
2008-12-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 13:21]
2008-12-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 13:21]
2008-12-23 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
2008-12-24 c:\windows\Tasks\yoohcjor.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://btjunkie.org/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
TCP: {C39FDC77-244D-49FD-9FAB-5F7E4A9C721B} = 64.59.144.16,64.59.144.17
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Gordon Brow\Application Data\Mozilla\Firefox\Profiles\pvlw0kxx.default\
FF - prefs.js: browser.startup.homepage - hxxp://btjunkie.org/
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 12:17:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$GORDO]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:GORDO"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\NDAS\System\ndassvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\SYMANT~1\VPTray.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-24 12:24:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-24 20:23:56
ComboFix2.txt 2008-12-24 16:10:30
Pre-Run: 34,593,734,656 bytes free
Post-Run: 34,582,061,056 bytes free
227 --- E O F --- 2008-12-18 11:03:32