sk8rrevolt
2009-01-04, 00:33
ComboFix 09-01-02.01 - Sal 2009-01-03 14:21:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.873 [GMT -8:00]
Running from: c:\documents and settings\Sal\Desktop\Secret Folder\Software Repairs\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Sal\Application Data\gadcom
c:\documents and settings\Sal\Application Data\gadcom\gadcom.exe_old
c:\documents and settings\Sal\Application Data\SpeedRunner
c:\documents and settings\Sal\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\asrquhaf.dll_old
c:\windows\system32\coohjksk.dll
c:\windows\system32\QAdMUvut.ini
c:\windows\system32\QAdMUvut.ini2
c:\windows\system32\tuvUMdAQ.dll
c:\windows\system32\vtUmNFxU.dll
c:\windows\system32\wpv441229907443.cpx
c:\windows\system32\zebaeo.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.
2009-01-03 14:21 . 2008-01-19 20:12 128,104 --a------ c:\windows\system32\drivers\WimFltr.sys
2009-01-03 14:20 . 2008-01-19 19:40 15,088 --a------ c:\windows\system32\drivers\vproeventmonitor.sys
2009-01-03 14:18 . 2009-01-03 14:18 <DIR> d-------- c:\program files\Norton Ghost
2009-01-03 14:05 . 2009-01-03 14:05 26 --a------ c:\windows\ExplorerXP.INI
2008-12-29 22:06 . 2009-01-03 13:58 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-29 21:17 . 2008-12-29 21:21 <DIR> d-------- c:\program files\ExplorerXP
2008-12-29 21:07 . 2008-12-29 22:00 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-28 22:50 . 2008-12-28 22:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2008-12-28 22:49 . 2008-12-28 22:49 <DIR> d--h----- c:\windows\PIF
2008-12-28 22:47 . 2008-12-28 23:27 <DIR> d-------- c:\documents and settings\Sal\Application Data\Lavasoft
2008-12-28 14:43 . 2009-01-03 14:01 766 --a------ c:\windows\wininit.ini
2008-12-15 16:07 . 2008-12-25 13:11 <DIR> d-------- c:\program files\Incomplete
2008-12-14 15:43 . 2008-12-14 15:43 <DIR> d-------- c:\documents and settings\Majed\Application Data\InterVideo
2008-12-07 23:47 . 2008-12-07 23:47 <DIR> d-------- c:\documents and settings\Sal\System
2008-12-07 23:47 . 2008-12-08 00:13 <DIR> d-------- c:\documents and settings\Sal\Application Data\SmartDraw
2008-12-07 23:42 . 2008-12-07 23:47 <DIR> d-------- c:\program files\SmartDraw 2009
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 22:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 22:33 --------- d-----w c:\program files\Steam
2009-01-03 22:33 --------- d-----w c:\documents and settings\Sal\Application Data\AVG7
2009-01-03 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 22:09 --------- d-----w c:\documents and settings\Sal\Application Data\mIRC
2009-01-03 22:08 --------- d-----w c:\program files\mIRC
2009-01-02 22:45 --------- d-----w c:\program files\PokerStars
2009-01-02 21:57 --------- d-----w c:\documents and settings\Majed\Application Data\AVG7
2008-12-30 05:02 --------- d-----w c:\documents and settings\Sal\Application Data\U3
2008-12-29 07:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 07:38 --------- d-----w c:\program files\Spyware Doctor
2008-12-29 06:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-25 03:14 --------- d-----w c:\program files\LimeWire
2008-12-25 01:33 --------- d-----w c:\documents and settings\Sal\Application Data\LimeWire
2008-12-11 06:31 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-01 22:52 --------- d-----w c:\program files\HP
2008-11-20 00:22 202,648 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-20 00:22 138,408 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-19 23:50 --------- d-----w c:\program files\Microsoft SQL Server
2008-11-19 19:39 --------- d-----w c:\program files\ASUS WiFi-AP Solo
2008-11-19 19:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-19 19:06 --------- d-----w c:\documents and settings\Sal\Application Data\InterVideo
2008-11-19 19:03 --------- d-----w c:\program files\InterVideo
2008-11-19 18:57 --------- d-----w c:\documents and settings\Sal\Application Data\Roxio
2008-11-19 18:34 --------- d-----w c:\documents and settings\Sal\Application Data\vlc
2008-11-19 05:08 --------- d-----w c:\documents and settings\Sal\Application Data\Symantec
2008-11-18 19:35 --------- d-----w c:\program files\microsoft frontpage
2008-11-17 22:00 --------- d-----w c:\documents and settings\Sal\Application Data\GetRightToGo
2008-11-17 21:47 --------- d-----w c:\program files\Microsoft Small Business
2008-11-17 21:01 --------- d-----w c:\program files\Microsoft Works
2008-11-17 21:00 --------- d-----w c:\program files\Microsoft.NET
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2007-11-28 00:47 22,328 ----a-w c:\documents and settings\Sal\Application Data\PnkBstrK.sys
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2008-09-08 05:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-10-16 1410296]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-19 36864]
"36X Raid Configurer"="c:\windows\System32\xRaidSetup.exe" [2007-03-21 1953792]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-26 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-11-19 987136]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-11-19 81920]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2003-10-09 1622016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zebaeo.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=
"c:\\Program Files\\HLSW\\hlsw.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\HLTV Tool by Marach\\HLTV Tool.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Packet Tracer 5.0\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\dedicated server\\hlds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-28 356920]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-12-29 2368]
R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2002-08-29 5120]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-19 99376]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-11-25 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-11-19 13532]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09940c7d-9d40-11dc-a9f9-001d60e4f157}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3001ce7f-9bee-11dc-8714-001d60e4f157}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cabe929d-d62c-11dd-b98e-001d60e4f157}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
*Newly Created Service* - NORTON_GHOST
*Newly Created Service* - SYMANTEC_SYMSNAP_VSS_PROVIDER
*Newly Created Service* - SYMSNAPSERVICE
.
Contents of the 'Scheduled Tasks' folder
2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-01-03 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-08-11 06:29]
.
- - - - ORPHANS REMOVED - - - -
BHO-{7d847252-642f-49a6-8be9-6cfbc167a4c5} - c:\windows\system32\zebaeo.dll
BHO-{AAECCACE-747B-4D2F-895A-B571C54D48E6} - c:\windows\system32\tuvUMdAQ.dll
.
------- Supplementary Scan -------
.
uStart Page = securityresponse.symantec.com/avcenter/fix_homepage/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Sal\Application Data\Mozilla\Firefox\Profiles\zizfnoc8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 14:35:26
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\3M\PSNLite\PSNGive.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Norton Ghost\Console\VProConsole.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
.
**************************************************************************
.
Completion time: 2009-01-03 14:41:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 22:41:31
Pre-Run: 165,881,679,872 bytes free
Post-Run: 165,992,566,784 bytes free
254 --- E O F --- 2008-12-19 05:55:01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.873 [GMT -8:00]
Running from: c:\documents and settings\Sal\Desktop\Secret Folder\Software Repairs\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Sal\Application Data\gadcom
c:\documents and settings\Sal\Application Data\gadcom\gadcom.exe_old
c:\documents and settings\Sal\Application Data\SpeedRunner
c:\documents and settings\Sal\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\asrquhaf.dll_old
c:\windows\system32\coohjksk.dll
c:\windows\system32\QAdMUvut.ini
c:\windows\system32\QAdMUvut.ini2
c:\windows\system32\tuvUMdAQ.dll
c:\windows\system32\vtUmNFxU.dll
c:\windows\system32\wpv441229907443.cpx
c:\windows\system32\zebaeo.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.
2009-01-03 14:21 . 2008-01-19 20:12 128,104 --a------ c:\windows\system32\drivers\WimFltr.sys
2009-01-03 14:20 . 2008-01-19 19:40 15,088 --a------ c:\windows\system32\drivers\vproeventmonitor.sys
2009-01-03 14:18 . 2009-01-03 14:18 <DIR> d-------- c:\program files\Norton Ghost
2009-01-03 14:05 . 2009-01-03 14:05 26 --a------ c:\windows\ExplorerXP.INI
2008-12-29 22:06 . 2009-01-03 13:58 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-29 21:17 . 2008-12-29 21:21 <DIR> d-------- c:\program files\ExplorerXP
2008-12-29 21:07 . 2008-12-29 22:00 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-28 22:50 . 2008-12-28 22:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2008-12-28 22:49 . 2008-12-28 22:49 <DIR> d--h----- c:\windows\PIF
2008-12-28 22:47 . 2008-12-28 23:27 <DIR> d-------- c:\documents and settings\Sal\Application Data\Lavasoft
2008-12-28 14:43 . 2009-01-03 14:01 766 --a------ c:\windows\wininit.ini
2008-12-15 16:07 . 2008-12-25 13:11 <DIR> d-------- c:\program files\Incomplete
2008-12-14 15:43 . 2008-12-14 15:43 <DIR> d-------- c:\documents and settings\Majed\Application Data\InterVideo
2008-12-07 23:47 . 2008-12-07 23:47 <DIR> d-------- c:\documents and settings\Sal\System
2008-12-07 23:47 . 2008-12-08 00:13 <DIR> d-------- c:\documents and settings\Sal\Application Data\SmartDraw
2008-12-07 23:42 . 2008-12-07 23:47 <DIR> d-------- c:\program files\SmartDraw 2009
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 22:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 22:33 --------- d-----w c:\program files\Steam
2009-01-03 22:33 --------- d-----w c:\documents and settings\Sal\Application Data\AVG7
2009-01-03 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 22:09 --------- d-----w c:\documents and settings\Sal\Application Data\mIRC
2009-01-03 22:08 --------- d-----w c:\program files\mIRC
2009-01-02 22:45 --------- d-----w c:\program files\PokerStars
2009-01-02 21:57 --------- d-----w c:\documents and settings\Majed\Application Data\AVG7
2008-12-30 05:02 --------- d-----w c:\documents and settings\Sal\Application Data\U3
2008-12-29 07:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 07:38 --------- d-----w c:\program files\Spyware Doctor
2008-12-29 06:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-25 03:14 --------- d-----w c:\program files\LimeWire
2008-12-25 01:33 --------- d-----w c:\documents and settings\Sal\Application Data\LimeWire
2008-12-11 06:31 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-01 22:52 --------- d-----w c:\program files\HP
2008-11-20 00:22 202,648 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-20 00:22 138,408 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-19 23:50 --------- d-----w c:\program files\Microsoft SQL Server
2008-11-19 19:39 --------- d-----w c:\program files\ASUS WiFi-AP Solo
2008-11-19 19:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-19 19:06 --------- d-----w c:\documents and settings\Sal\Application Data\InterVideo
2008-11-19 19:03 --------- d-----w c:\program files\InterVideo
2008-11-19 18:57 --------- d-----w c:\documents and settings\Sal\Application Data\Roxio
2008-11-19 18:34 --------- d-----w c:\documents and settings\Sal\Application Data\vlc
2008-11-19 05:08 --------- d-----w c:\documents and settings\Sal\Application Data\Symantec
2008-11-18 19:35 --------- d-----w c:\program files\microsoft frontpage
2008-11-17 22:00 --------- d-----w c:\documents and settings\Sal\Application Data\GetRightToGo
2008-11-17 21:47 --------- d-----w c:\program files\Microsoft Small Business
2008-11-17 21:01 --------- d-----w c:\program files\Microsoft Works
2008-11-17 21:00 --------- d-----w c:\program files\Microsoft.NET
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2007-11-28 00:47 22,328 ----a-w c:\documents and settings\Sal\Application Data\PnkBstrK.sys
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2008-09-08 05:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-10-16 1410296]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-19 36864]
"36X Raid Configurer"="c:\windows\System32\xRaidSetup.exe" [2007-03-21 1953792]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-26 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-11-19 987136]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-11-19 81920]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2003-10-09 1622016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zebaeo.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=
"c:\\Program Files\\HLSW\\hlsw.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\HLTV Tool by Marach\\HLTV Tool.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Packet Tracer 5.0\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\dedicated server\\hlds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-28 356920]
R4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-12-29 2368]
R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2002-08-29 5120]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-19 99376]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-11-25 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-11-19 13532]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09940c7d-9d40-11dc-a9f9-001d60e4f157}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3001ce7f-9bee-11dc-8714-001d60e4f157}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cabe929d-d62c-11dd-b98e-001d60e4f157}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
*Newly Created Service* - NORTON_GHOST
*Newly Created Service* - SYMANTEC_SYMSNAP_VSS_PROVIDER
*Newly Created Service* - SYMSNAPSERVICE
.
Contents of the 'Scheduled Tasks' folder
2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-01-03 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-08-11 06:29]
.
- - - - ORPHANS REMOVED - - - -
BHO-{7d847252-642f-49a6-8be9-6cfbc167a4c5} - c:\windows\system32\zebaeo.dll
BHO-{AAECCACE-747B-4D2F-895A-B571C54D48E6} - c:\windows\system32\tuvUMdAQ.dll
.
------- Supplementary Scan -------
.
uStart Page = securityresponse.symantec.com/avcenter/fix_homepage/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Sal\Application Data\Mozilla\Firefox\Profiles\zizfnoc8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 14:35:26
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\3M\PSNLite\PSNGive.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Norton Ghost\Console\VProConsole.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
.
**************************************************************************
.
Completion time: 2009-01-03 14:41:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 22:41:31
Pre-Run: 165,881,679,872 bytes free
Post-Run: 165,992,566,784 bytes free
254 --- E O F --- 2008-12-19 05:55:01