sk8rrevolt
2009-02-01, 23:01
Im currently on safe mode which is allowing me to get on to the internet and stuff but i keep getting this trojon horse which is bad!!!!\
----------------------------------------------------------------------------
ComboFix 09-01-31.01 - Sal 2009-02-01 1:50:54.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1746 [GMT -8:00]
Running from: c:\documents and settings\Sal\Desktop\Secret Folder\Software Repairs\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Sal\Application Data\Google\ptnmsnn.dll
c:\documents and settings\Sal\Application Data\Google\vgwsn871850.exe
.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-02-01 00:45 . 2009-02-01 00:45 <DIR> d-------- c:\program files\ATTToolbar
2009-02-01 00:45 . 2009-02-01 00:45 <DIR> d-------- c:\documents and settings\Sal\Application Data\Motive
2009-01-30 13:19 . 2009-02-01 00:45 <DIR> d-------- c:\documents and settings\Sal\Application Data\ATTToolbar
2009-01-30 13:19 . 2009-02-01 01:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-01-30 13:12 . 2009-02-01 00:45 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-30 13:12 . 2009-02-01 00:45 <DIR> d-------- c:\program files\ATT-HSI
2009-01-30 13:11 . 2009-01-30 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2009-01-19 20:04 . 2009-01-19 20:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-19 20:04 . 2009-01-19 20:04 4,096 --a------ c:\windows\d3dx.dat
2009-01-18 22:58 . 2009-01-18 23:53 <DIR> d-------- c:\windows\system32\Adobe
2009-01-11 10:01 . 2009-01-11 10:01 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-05 21:16 . 2009-01-05 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-01-03 18:28 . 2009-01-03 20:14 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-03 14:18 . 2009-01-05 13:31 <DIR> d-------- c:\program files\Norton Ghost
2009-01-03 14:05 . 2009-01-03 14:05 26 --a------ c:\windows\ExplorerXP.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 16:00 --------- d-----w c:\documents and settings\Sal\Application Data\AVG7
2009-02-01 09:33 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-01 09:33 --------- d-----w c:\program files\Steam
2009-02-01 09:31 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-01 08:45 --------- d-----w c:\documents and settings\Sal\Application Data\Apple Computer
2009-02-01 08:45 --------- d-----w c:\documents and settings\Sal\Application Data\AIMPro
2009-02-01 08:45 --------- d-----w c:\documents and settings\Sal\Application Data\acccore
2009-02-01 08:17 --------- d-----w c:\documents and settings\Sal\Application Data\BitTorrent
2009-01-22 01:12 --------- d-----w c:\documents and settings\Majed\Application Data\AVG7
2009-01-19 06:08 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-15 20:58 --------- d-----w c:\program files\World of Warcraft
2009-01-14 18:31 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-11 18:01 --------- d-----w c:\program files\Java
2009-01-06 05:06 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-01-05 06:29 --------- d-----w c:\program files\PokerStars
2009-01-03 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 22:09 --------- d-----w c:\documents and settings\Sal\Application Data\mIRC
2009-01-03 22:08 --------- d-----w c:\program files\mIRC
2008-12-30 06:00 --------- d-----w c:\program files\Enigma Software Group
2008-12-30 05:21 --------- d-----w c:\program files\ExplorerXP
2008-12-30 05:02 --------- d-----w c:\documents and settings\Sal\Application Data\U3
2008-12-29 07:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 07:38 --------- d-----w c:\program files\Spyware Doctor
2008-12-29 07:27 --------- d-----w c:\documents and settings\Sal\Application Data\Lavasoft
2008-12-29 06:50 --------- d-----w c:\documents and settings\LocalService\Application Data\Webroot
2008-12-29 06:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-25 21:11 --------- d-----w c:\program files\Incomplete
2008-12-25 03:14 --------- d-----w c:\program files\LimeWire
2008-12-25 01:33 --------- d-----w c:\documents and settings\Sal\Application Data\LimeWire
2008-12-14 23:43 --------- d-----w c:\documents and settings\Majed\Application Data\InterVideo
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 08:13 --------- d-----w c:\documents and settings\Sal\Application Data\SmartDraw
2008-12-08 07:47 --------- d-----w c:\program files\SmartDraw 2009
2008-12-01 22:52 --------- d-----w c:\program files\HP
2008-11-20 00:22 202,648 ----a-w c:\windows\system32\PnkBstrB.exe
2007-11-28 00:47 22,328 ----a-w c:\documents and settings\Sal\Application Data\PnkBstrK.sys
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2008-09-08 05:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.
((((((((((((((((((((((((((((( snapshot_2009-02-01_ 0.52.40.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 16:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 16:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 16:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 16:00:00 286,720 ----a-w c:\windows\SWREG.exe
- 2009-02-01 08:45:43 664,200 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-02-01 09:31:39 409,104 ----a-w c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-10-16 1410296]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-19 36864]
"36X Raid Configurer"="c:\windows\System32\xRaidSetup.exe" [2007-03-21 1953792]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-26 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-11-19 987136]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-11-19 81920]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2003-10-09 1622016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zebaeo.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=
"c:\\Program Files\\HLSW\\hlsw.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\HLTV Tool by Marach\\HLTV Tool.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Packet Tracer 5.0\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\dedicated server\\hlds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-19 99376]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-11-25 176128]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-28 356920]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-12-29 2368]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09940c7d-9d40-11dc-a9f9-001d60e4f157}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3001ce7f-9bee-11dc-8714-001d60e4f157}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cabe929d-d62c-11dd-b98e-001d60e4f157}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-02-01 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-08-11 06:29]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-realtehs - c:\documents and settings\Sal\Application Data\Google\vgwsn871850.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Sal\Application Data\Mozilla\Firefox\Profiles\zizfnoc8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 01:53:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-02-01 1:54:46
ComboFix-quarantined-files.txt 2009-02-01 09:54:45
ComboFix2.txt 2009-02-01 08:53:47
ComboFix3.txt 2009-01-03 22:41:36
Pre-Run: 155,068,465,152 bytes free
Post-Run: 155,085,422,592 bytes free
208 --- E O F --- 2009-01-14 18:31:40
Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806)
----------------------------------------------------------------------------
ComboFix 09-01-31.01 - Sal 2009-02-01 1:50:54.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1746 [GMT -8:00]
Running from: c:\documents and settings\Sal\Desktop\Secret Folder\Software Repairs\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Sal\Application Data\Google\ptnmsnn.dll
c:\documents and settings\Sal\Application Data\Google\vgwsn871850.exe
.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.
2009-02-01 00:45 . 2009-02-01 00:45 <DIR> d-------- c:\program files\ATTToolbar
2009-02-01 00:45 . 2009-02-01 00:45 <DIR> d-------- c:\documents and settings\Sal\Application Data\Motive
2009-01-30 13:19 . 2009-02-01 00:45 <DIR> d-------- c:\documents and settings\Sal\Application Data\ATTToolbar
2009-01-30 13:19 . 2009-02-01 01:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-01-30 13:12 . 2009-02-01 00:45 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-30 13:12 . 2009-02-01 00:45 <DIR> d-------- c:\program files\ATT-HSI
2009-01-30 13:11 . 2009-01-30 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2009-01-19 20:04 . 2009-01-19 20:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-19 20:04 . 2009-01-19 20:04 4,096 --a------ c:\windows\d3dx.dat
2009-01-18 22:58 . 2009-01-18 23:53 <DIR> d-------- c:\windows\system32\Adobe
2009-01-11 10:01 . 2009-01-11 10:01 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-05 21:16 . 2009-01-05 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-01-03 18:28 . 2009-01-03 20:14 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-03 14:18 . 2009-01-05 13:31 <DIR> d-------- c:\program files\Norton Ghost
2009-01-03 14:05 . 2009-01-03 14:05 26 --a------ c:\windows\ExplorerXP.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 16:00 --------- d-----w c:\documents and settings\Sal\Application Data\AVG7
2009-02-01 09:33 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-01 09:33 --------- d-----w c:\program files\Steam
2009-02-01 09:31 --------- d-----w c:\program files\Windows Live Safety Center
2009-02-01 08:45 --------- d-----w c:\documents and settings\Sal\Application Data\Apple Computer
2009-02-01 08:45 --------- d-----w c:\documents and settings\Sal\Application Data\AIMPro
2009-02-01 08:45 --------- d-----w c:\documents and settings\Sal\Application Data\acccore
2009-02-01 08:17 --------- d-----w c:\documents and settings\Sal\Application Data\BitTorrent
2009-01-22 01:12 --------- d-----w c:\documents and settings\Majed\Application Data\AVG7
2009-01-19 06:08 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-15 20:58 --------- d-----w c:\program files\World of Warcraft
2009-01-14 18:31 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-11 18:01 --------- d-----w c:\program files\Java
2009-01-06 05:06 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-01-05 06:29 --------- d-----w c:\program files\PokerStars
2009-01-03 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-03 22:09 --------- d-----w c:\documents and settings\Sal\Application Data\mIRC
2009-01-03 22:08 --------- d-----w c:\program files\mIRC
2008-12-30 06:00 --------- d-----w c:\program files\Enigma Software Group
2008-12-30 05:21 --------- d-----w c:\program files\ExplorerXP
2008-12-30 05:02 --------- d-----w c:\documents and settings\Sal\Application Data\U3
2008-12-29 07:58 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-29 07:38 --------- d-----w c:\program files\Spyware Doctor
2008-12-29 07:27 --------- d-----w c:\documents and settings\Sal\Application Data\Lavasoft
2008-12-29 06:50 --------- d-----w c:\documents and settings\LocalService\Application Data\Webroot
2008-12-29 06:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-25 21:11 --------- d-----w c:\program files\Incomplete
2008-12-25 03:14 --------- d-----w c:\program files\LimeWire
2008-12-25 01:33 --------- d-----w c:\documents and settings\Sal\Application Data\LimeWire
2008-12-14 23:43 --------- d-----w c:\documents and settings\Majed\Application Data\InterVideo
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 08:13 --------- d-----w c:\documents and settings\Sal\Application Data\SmartDraw
2008-12-08 07:47 --------- d-----w c:\program files\SmartDraw 2009
2008-12-01 22:52 --------- d-----w c:\program files\HP
2008-11-20 00:22 202,648 ----a-w c:\windows\system32\PnkBstrB.exe
2007-11-28 00:47 22,328 ----a-w c:\documents and settings\Sal\Application Data\PnkBstrK.sys
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2008-09-08 05:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.
((((((((((((((((((((((((((((( snapshot_2009-02-01_ 0.52.40.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 16:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 16:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 16:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 16:00:00 286,720 ----a-w c:\windows\SWREG.exe
- 2009-02-01 08:45:43 664,200 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-02-01 09:31:39 409,104 ----a-w c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-10-16 1410296]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-19 36864]
"36X Raid Configurer"="c:\windows\System32\xRaidSetup.exe" [2007-03-21 1953792]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-26 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-11-19 987136]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-11-19 81920]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2003-10-09 1622016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zebaeo.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=
"c:\\Program Files\\HLSW\\hlsw.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\HLTV Tool by Marach\\HLTV Tool.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Packet Tracer 5.0\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinballx12889@aol.com\\dedicated server\\hlds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-19 99376]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-11-25 176128]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-28 356920]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
S4 SVKP;SVKP;c:\windows\system32\SVKP.sys [2007-12-29 2368]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09940c7d-9d40-11dc-a9f9-001d60e4f157}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3001ce7f-9bee-11dc-8714-001d60e4f157}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cabe929d-d62c-11dd-b98e-001d60e4f157}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-02-01 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-08-11 06:29]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-realtehs - c:\documents and settings\Sal\Application Data\Google\vgwsn871850.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Sal\Application Data\Mozilla\Firefox\Profiles\zizfnoc8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 01:53:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-02-01 1:54:46
ComboFix-quarantined-files.txt 2009-02-01 09:54:45
ComboFix2.txt 2009-02-01 08:53:47
ComboFix3.txt 2009-01-03 22:41:36
Pre-Run: 155,068,465,152 bytes free
Post-Run: 155,085,422,592 bytes free
208 --- E O F --- 2009-01-14 18:31:40
Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806)