View Full Version : Malware Problems - possible smitfraud
BaldingSteve
2009-04-16, 04:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:46 PM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\xpv_5902_012208\wdm\STacSV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\h2nv9jjxcg.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\472201336.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\h2nv9jjxcg.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {4ab12ac5-0452-43ec-b5f6-fb8c8bdc3faa} - C:\WINDOWS\system32\dezuzara.dll
O2 - BHO: C:\WINDOWS\system32\zfgh83jg3.dll - {d5bf49a0-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O2 - BHO: C:\WINDOWS\system32\sdfgerfgf3f.dll - {e2ba40a2-74f3-42bd-f434-2604812c8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Gaming Mouse] C:\Program Files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [f41086ca] rundll32.exe "C:\WINDOWS\system32\pewofesa.dll",b
O4 - HKLM\..\Run: [CPMf723b556] Rundll32.exe "c:\windows\system32\zotizewi.dll",a
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Vsesubitukixuyoy] rundll32.exe "C:\WINDOWS\ilunukifasocuke.dll",e
O4 - HKLM\..\Run: [fenayijuso] Rundll32.exe "C:\WINDOWS\system32\dewizide.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\Owner\LOCALS~1\Temp\h2nv9jjxcg.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\472201336.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\gbgjwlk78.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\gbgjwlk78.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1450326336.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Reboot.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\milifuse.dll c:\windows\system32\zotizewi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zotizewi.dll
O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zotizewi.dll
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\xpv_5902_012208\wdm\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8038 bytes
pskelley
2009-04-17, 20:43
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions, there are no excuses for not following the directions.
Review the instructions before you start, TeaTimer is NOT disabled as instructed:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
make sure you missed nothing else you need to know.
I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. The junk can be tough to remove, so do not expect fast or easy.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
BaldingSteve
2009-04-18, 05:32
I have a problem. I disabled TeaTimer like you said, but now I can't access my applications. When I turn my computer on/log on, the first message I get says something along the lines of "Microsoft has closed the application Userinit Logon."
I'm posting this from my laptop just to clarify.
pskelley
2009-04-18, 12:49
Look at the instructions for disabling TeaTimer again, I will post them here:
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
Those instructions have nothing to do with Windows or Userinit Logon? Please continue with the instructions. Make sure you post any error messages from Windows exactly as they appear, word for word.
Thanks
BaldingSteve
2009-04-18, 18:28
I know they have nothing to do with userinit logon, that is why i'm concerned.
I followed the steps, and when I restarted my computer that's what showed.
To help protect your computer, Windows has closed this program.
Name: Userinit Logon Application
Publisher: MIcrosoft Corporation
pskelley
2009-04-18, 18:50
Please continue with #2 and #3 of the instructions. Likely malware is causing Windows to create that message, and combofix may help?
Thanks
BaldingSteve
2009-04-18, 19:17
I can't access any applications, which means I can't download ComboFix.
pskelley
2009-04-18, 19:28
I am not sure what I can to to help if you can not run anything? Perhaps Microsoft can help? http://support.microsoft.com/
You could also give this a try:
http://support.microsoft.com/kb/307852
BaldingSteve
2009-04-18, 20:27
I allowed myself to use my applications again - I disabled one of the virus' processes disguised as svchost.exe.
I'm going to run combofix now.
BaldingSteve
2009-04-18, 20:52
Combofix ran, but I still can't see my taskbar, and now taskmanager is prevented from opening. I'm going to reformat.
Thanks for you help
pskelley
2009-04-18, 20:56
Can you post the log from combofix so I can get an idea of the problem? It will be located at C:\Combofix.txt
BaldingSteve
2009-04-18, 20:56
Or is there a way to get around bieng unable to connect to the internet?
I'm sorry about this.
pskelley
2009-04-18, 21:00
Appears you have another computer, use it to download and bring the tools to the infected computer. Be careful you don't infect that computer though. Once the malware is removed you should be able to get online, that's if the problem is malware and not something else.
BaldingSteve
2009-04-18, 21:02
I'll copy the file onto this once it's finished scanning.
BaldingSteve
2009-04-18, 21:11
Combofix Log:
ComboFix 09-04-19.01 - Owner 04/18/2009 15:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1602 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090417-0] *On-access scanning disabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\gavomiwi.dll
.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.
2009-04-30 21:04 . 2009-04-13 02:25 -------- d-----w c:\program files\Perpetuum
2009-04-28 22:56 . 2009-04-28 22:56 -------- d-----w C:\Turok-Dinosaur Hunter
2009-04-28 19:10 . 2009-04-29 11:11 -------- d-----w C:\Jim's Big Ego
2009-04-28 19:08 . 2009-04-29 06:43 -------- d-----w C:\Da Vinci's Notebook
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\windows\system32\AGEIA
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\program files\AGEIA Technologies
2009-04-25 02:19 . 2009-02-18 18:44 212711 ----a-w c:\windows\system32\nvapps.nvb
2009-04-25 02:18 . 2009-04-25 02:18 -------- d-----w C:\NVIDIA
2009-04-24 21:58 . 2008-07-21 02:55 241719 ----a-w c:\windows\system32\stacsv.exe
2009-04-24 21:58 . 2008-07-21 02:55 2314240 ----a-w c:\windows\system32\stlang.dll
2009-04-24 21:58 . 2008-07-21 02:55 8101951 ----a-w c:\windows\system32\idtsg.cpl
2009-04-24 21:58 . 2008-07-21 02:55 462913 ----a-w c:\windows\sttray.exe
2009-04-24 21:58 . 2008-07-21 02:55 442439 ----a-w c:\windows\system32\stacapi.dll
2009-04-24 21:58 . 2008-07-21 02:55 150016 ----a-w c:\windows\system32\staco.dll
2009-04-24 21:58 . 2008-07-21 02:55 1292888 ----a-w c:\windows\system32\drivers\sthda.sys
2009-04-24 21:57 . 2009-04-24 21:58 -------- d-----w c:\program files\IDT
2009-04-24 21:57 . 2008-08-07 11:14 111360 ----a-r c:\windows\system32\drivers\Rtenicxp.sys
2009-04-24 21:57 . 2008-08-07 03:38 9728 ----a-r c:\windows\system32\RtNicProp32.dll
2009-04-24 21:52 . 2009-04-25 02:21 -------- d-----w c:\windows\nview
2009-04-24 21:47 . 2007-10-12 01:40 9096 ----a-r c:\windows\system32\drivers\amdide.sys
2009-04-24 21:46 . 2009-04-24 21:46 -------- d-----w c:\windows\system32\Tools
2009-04-24 21:45 . 2006-12-26 12:31 4864 ----a-r c:\windows\system32\drivers\PortIo.sys
2009-04-17 00:02 . 2009-04-17 00:02 -------- d-s---w c:\documents and settings\Owner\UserData
2009-04-16 03:07 . 2009-04-16 03:07 325 ----a-w c:\windows\wininit.ini
2009-04-16 02:04 . 2009-04-16 02:04 -------- d-----w c:\program files\Trend Micro
2009-04-16 02:03 . 2009-04-16 22:48 -------- d-----w c:\program files\ERUNT
2009-04-16 00:33 . 2009-04-17 00:20 16 ----a-w c:\windows\Omazalafoqip.bin
2009-04-16 00:33 . 2009-04-16 00:33 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{FAC88654-A131-4D8F-9250-3BF4B5675C5E}
2009-04-16 00:33 . 2009-04-17 00:50 158208 ----a-w c:\windows\Gxecesaz.dat
2009-04-16 00:27 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-16 00:27 . 2009-04-16 00:27 15000 ----a-w c:\windows\system32\zfgh83jg3.dll
2009-04-15 22:24 . 2009-04-18 19:05 105710 ----a-w c:\windows\system32\drivers\ee2caf9a.sys
2009-04-15 22:24 . 2009-04-15 22:24 55296 ----a-w C:\rnvx.exe
2009-04-15 22:24 . 2009-04-15 22:24 2 ----a-w C:\-200243611
2009-04-15 22:23 . 2009-04-15 22:23 68096 ----a-w C:\tbbek.exe
2009-04-14 03:01 . 2009-04-14 03:03 -------- d-----w c:\program files\AIM6
2009-04-13 23:23 . 2009-04-13 23:23 107520 --sha-w c:\windows\system32\lopivasa.dll
2009-04-12 04:52 . 2009-04-13 23:57 -------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-04-12 04:52 . 2009-04-12 15:53 -------- d-----w c:\program files\IObit
2009-04-09 05:16 . 2009-04-09 09:15 -------- d-----w C:\Jonathan_Coulton_Complete_Discography_192kbps
2009-04-04 20:21 . 2009-04-04 20:21 -------- d-----w c:\program files\Bethesda Softworks
2009-04-04 06:33 . 2009-04-04 06:33 -------- d-----w c:\program files\Common Files\DirectX
2009-04-02 21:42 . 2009-04-04 06:32 -------- d-----w c:\program files\Garena
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w C:\VertigoGames
2009-04-01 06:01 . 2009-04-01 06:26 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-01 05:53 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-01 05:53 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-01 05:50 . 2008-08-14 10:00 2180352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 05:50 . 2008-08-14 09:58 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 05:43 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 05:35 . 2009-04-01 08:05 -------- d--h--w c:\windows\$hf_mig$
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 21:25 . 2009-02-19 00:08 -------- d-----w c:\program files\Last.fm
2009-04-29 22:23 . 2009-01-18 20:51 -------- d-----w c:\documents and settings\Owner\Application Data\Winamp
2009-04-29 05:15 . 2008-04-14 00:55 -------- d-----w c:\program files\uTorrent
2009-04-29 01:36 . 2009-02-21 07:16 -------- d-----w c:\program files\Warcraft III
2009-04-29 00:31 . 2009-02-21 07:18 77589 ----a-w c:\windows\War3Unin.dat
2009-04-28 21:11 . 2008-10-03 04:01 -------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2009-04-28 21:11 . 2008-10-03 04:01 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-04-25 02:19 . 2008-01-06 17:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-24 21:57 . 2008-01-02 23:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 21:40 . 2008-01-04 01:15 -------- d-----w c:\documents and settings\Owner\Application Data\Launchy
2009-04-18 18:19 . 2008-03-28 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 04:37 . 2008-02-02 03:10 -------- d-----w c:\program files\PowerISO
2009-04-17 02:54 . 2008-03-07 04:10 -------- d-----w c:\program files\Steam
2009-04-16 22:49 . 2008-10-15 01:39 -------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-04-16 02:46 . 2008-01-02 23:52 -------- d-----w c:\program files\Realtek AC97
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 01:55 . 2009-01-18 20:51 -------- d-----w c:\program files\Winamp
2009-04-16 00:35 . 2008-01-04 01:28 -------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-04-15 00:25 . 2009-01-15 00:25 88576 --sha-w c:\windows\system32\bidifetu.dll.vir
2009-04-14 03:03 . 2008-01-20 04:20 2588 ---ha-w C:\IPH.PH
2009-04-14 03:03 . 2008-01-18 03:46 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-12 20:48 . 2008-01-04 01:28 -------- d-----w c:\program files\Xfire
2009-04-12 16:02 . 2009-01-12 16:02 108544 --sha-w c:\windows\system32\tidifara.dll
2009-04-11 16:02 . 2009-01-11 16:01 70144 --sha-w c:\windows\system32\tijezaze.dll
2009-04-11 16:01 . 2009-01-11 16:01 109568 --sha-w c:\windows\system32\yedibona.dll
2009-04-10 23:25 . 2008-09-12 02:50 -------- d-----w c:\program files\Atari
2009-04-09 11:01 . 2008-03-17 18:03 -------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-04-04 19:22 . 2008-12-17 06:08 -------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2009-04-04 18:38 . 2008-12-17 06:08 -------- d-----w c:\program files\mIRC
2009-02-24 05:58 . 2008-04-18 01:02 -------- d-----w c:\program files\QuickTime
2009-02-21 07:24 . 2009-02-21 07:18 2829 ----a-w c:\windows\War3Unin.pif
2009-02-19 19:53 . 2009-02-19 19:53 -------- d-----w c:\program files\Common Files\INCA Shared
2009-02-19 00:09 . 2009-02-19 00:09 -------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2009-02-17 03:17 . 2008-01-02 23:49 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-10-20 23:21 . 2008-01-05 18:33 24880 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-01 11:15 . 2008-08-01 11:15 74864 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-01-11 16:02 . 2009-01-11 16:02 70144 --sha-w c:\windows\system32\monekuho.dll.tmp
2009-01-11 16:02 . 2009-01-11 16:02 70144 --sha-w c:\windows\system32\wipidahe.dll.tmp
2009-01-11 16:02 . 2009-01-11 16:02 70144 --sha-w c:\windows\system32\zigehuze.dll.tmp
.
------- Sigcheck -------
[-] 2008-04-14 00:12 14336 F659C9716309655AB68765743664E36B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2004-08-04 12:00 34304 F325E0DE4F224CD049D6C75BC620B04F c:\windows\system32\svchost.exe
[-] 2004-08-04 12:00 14336 178EDD883A1119F776C54B7484F7CCD1 c:\windows\system32\dllcache\svchost.exe
[-] 2008-04-14 00:12 507904 876AF0F5AFDB8CC2C6E8CCF16BE3C234 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2008-01-02 23:46 502272 6225F14B8CE08CCBA8B25AD27843C674 c:\windows\system32\winlogon.exe
[-] 2004-08-04 12:00 1052160 4CFCEB7A1641ED7D3E6F9D55690BE1A9 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1033728 A8EA2ABBE4F64C4C7E15E34CD95EC002 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 12:00 1032192 2F9CE7162DCAC8A0B66CDB3ADDD4825F c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 00:12 15360 2C2D86746C81F82DE35E639B43DF591B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2004-08-04 12:00 35328 6D66A0810B4D0947A187799C618F0A0F c:\windows\system32\ctfmon.exe
[-] 2004-08-04 12:00 15360 135DEA5036F9EBA19FD4E5619CCC73B2 c:\windows\system32\dllcache\ctfmon.exe
[-] 2008-04-14 00:12 57856 6D6FA43A4765DDA269DFD174A7E5235D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2004-08-04 12:00 77824 6B6E8B138E4A8E91CE8D6404042D7E8D c:\windows\system32\spoolsv.exe
[-] 2004-08-04 12:00 57856 B978FB23FA8E0673D06A8C07166BC7DF c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-14 00:12 26112 AFE92A5AEC531E32BCA0FC21BF7AC1B5 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-04 12:00 44544 17EE0D9D476DE54BDAA82C40B65A4340 c:\windows\system32\userinit.exe
[-] 2004-08-04 12:00 24576 4F5F151B939E02F5312934B9EFE8947D c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Gaming Mouse"="c:\program files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe" [2006-12-01 839680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 462913]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"Vsesubitukixuyoy"="c:\windows\Gxecesaz.dat" [2009-04-17 158208]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-1-3 294912]
Reboot.exe [2006-12-29 429056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 17:10 18744 ----a-w c:\windows\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\opposing force\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life blue shift\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\dystopia\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:War3
R3 XDva225;XDva225; [x]
S1 aswSP;avast! Self Protection; [x]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 45132]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff94b590-b958-11dc-b694-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-28 22:08]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-fenayijuso - c:\windows\system32\dewizide.dll
HKLM-Run-f41086ca - c:\windows\system32\pewofesa.dll
SharedTaskScheduler-{E2BA40A2-74F3-42BD-F434-2604812C8953} - c:\windows\system32\sdfgerfgf3f.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mtgxo9p.default\
FF - prefs.js: browser.startup.homepage - www.left4dead411.com
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 15:05
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ee2caf9a]
"ImagePath"="\SystemRoot\System32\drivers\ee2caf9a.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\PCANotify.dll
- - - - - - - > 'explorer.exe'(3288)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
Completion time: 2009-04-18 15:06
ComboFix-quarantined-files.txt 2009-04-18 19:06
Pre-Run: 15,512,473,600 bytes free
Post-Run: 15,491,002,368 bytes free
305 --- E O F --- 2009-04-01 08:05
HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:47 PM, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\xpv_5902_012208\wdm\STacSV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Gaming Mouse] C:\Program Files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Vsesubitukixuyoy] rundll32.exe "C:\WINDOWS\Gxecesaz.dat",e
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Reboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\xpv_5902_012208\wdm\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 5177 bytes
pskelley
2009-04-18, 22:13
Can you get that computer online now? It would be easier to download tools to the computer you will use them on.
Word Wrap is turned on in Notepad making the logs hard to work with. Click "Format" at the top and uncheck "Word Wrap"
Let's do this next, if you get online, make sure you allow combofix to update or install Recovery Console if it asks to.
Follow the directions carefully:
Open notepad and copy/paste the text in the codebox below into it:
Driver::
ee2caf9a
File::
C:\rnvx.exe
C:\tbbek.exe
C:\WINDOWS\Gxecesaz.dat
c:\windows\Omazalafoqip.bin
c:\windows\Gxecesaz.dat
c:\windows\system32\zfgh83jg3.dll
c:\windows\system32\drivers\ee2caf9a.sys
c:\windows\system32\lopivasa.dll
c:\windows\system32\bidifetu.dll.vir
c:\windows\system32\tidifara.dll
c:\windows\system32\tijezaze.dll
c:\windows\system32\yedibona.dll
c:\windows\system32\monekuho.dll.tmp
c:\windows\system32\wipidahe.dll.tmp
c:\windows\system32\zigehuze.dll.tmp
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff94b590-b958-11dc-b694-806d6172696f}]
Folder::
C:\-200243611
c:\program files\uTorrent
c:\documents and settings\Owner\Application Data\uTorrent
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Thanks
BaldingSteve
2009-04-18, 23:07
ComboFix:
ComboFix 09-04-19.01 - Owner 04/18/2009 16:45.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1391 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090418-0] *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
C:\rnvx.exe
C:\tbbek.exe
c:\windows\Gxecesaz.dat
c:\windows\Omazalafoqip.bin
c:\windows\system32\bidifetu.dll.vir
c:\windows\system32\drivers\ee2caf9a.sys
c:\windows\system32\lopivasa.dll
c:\windows\system32\monekuho.dll.tmp
c:\windows\system32\tidifara.dll
c:\windows\system32\tijezaze.dll
c:\windows\system32\wipidahe.dll.tmp
c:\windows\system32\yedibona.dll
c:\windows\system32\zfgh83jg3.dll
c:\windows\system32\zigehuze.dll.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\uTorrent
c:\documents and settings\Owner\Application Data\uTorrent\Assassins.Creed.REPACK-RELOADED.torrent
c:\documents and settings\Owner\Application Data\uTorrent\Charlie Haden with Michael Brecker - American Dreams (2002).torrent
c:\documents and settings\Owner\Application Data\uTorrent\Colombo Jazz - Charlie Haden & Egberto Gismonti - Live in Montreal - mp3 256.torrent
c:\documents and settings\Owner\Application Data\uTorrent\Condemned.Criminal.Origins.PC.English.[SpaTorrent.com].torrent
c:\documents and settings\Owner\Application Data\uTorrent\Da Vinci's Notebook.torrent
c:\documents and settings\Owner\Application Data\uTorrent\dht.dat
c:\documents and settings\Owner\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Owner\Application Data\uTorrent\Jim's Big Ego.torrent
c:\documents and settings\Owner\Application Data\uTorrent\Jonathan_Coulton_Complete_Discography_192kbps.torrent
c:\documents and settings\Owner\Application Data\uTorrent\Mass.Effect.torrent
c:\documents and settings\Owner\Application Data\uTorrent\resume.dat
c:\documents and settings\Owner\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Owner\Application Data\uTorrent\rss.dat
c:\documents and settings\Owner\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Owner\Application Data\uTorrent\settings.dat
c:\documents and settings\Owner\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Owner\Application Data\uTorrent\utorrent.lng
c:\documents and settings\Owner\Application Data\uTorrent\WINAMP PRO 5.53 Build 1924Final(NEW-with serial keys).torrent
c:\documents and settings\Owner\Application Data\uTorrent\Windows XP Home SP2 [OEM Edition].torrent
c:\program files\uTorrent
c:\program files\uTorrent\Shortcut to uTorrent.exe.lnk
C:\rnvx.exe
C:\tbbek.exe
c:\windows\Gxecesaz.dat
c:\windows\Omazalafoqip.bin
c:\windows\system32\bidifetu.dll.vir
c:\windows\system32\drivers\ee2caf9a.sys
c:\windows\system32\lopivasa.dll
c:\windows\system32\monekuho.dll.tmp
c:\windows\system32\tidifara.dll
c:\windows\system32\tijezaze.dll
c:\windows\system32\wipidahe.dll.tmp
c:\windows\system32\yedibona.dll
c:\windows\system32\zfgh83jg3.dll
c:\windows\system32\zigehuze.dll.tmp
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_ee2caf9a
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.
2009-04-30 21:04 . 2009-04-13 02:25 -------- d-----w c:\program files\Perpetuum
2009-04-28 22:56 . 2009-04-28 22:56 -------- d-----w C:\Turok-Dinosaur Hunter
2009-04-28 19:10 . 2009-04-29 11:11 -------- d-----w C:\Jim's Big Ego
2009-04-28 19:08 . 2009-04-29 06:43 -------- d-----w C:\Da Vinci's Notebook
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\windows\system32\AGEIA
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\program files\AGEIA Technologies
2009-04-25 02:19 . 2009-02-18 18:44 212711 ----a-w c:\windows\system32\nvapps.nvb
2009-04-25 02:18 . 2009-04-25 02:18 -------- d-----w C:\NVIDIA
2009-04-24 21:58 . 2008-07-21 02:55 241719 ----a-w c:\windows\system32\stacsv.exe
2009-04-24 21:58 . 2008-07-21 02:55 2314240 ----a-w c:\windows\system32\stlang.dll
2009-04-24 21:58 . 2008-07-21 02:55 8101951 ----a-w c:\windows\system32\idtsg.cpl
2009-04-24 21:58 . 2008-07-21 02:55 462913 ----a-w c:\windows\sttray.exe
2009-04-24 21:58 . 2008-07-21 02:55 442439 ----a-w c:\windows\system32\stacapi.dll
2009-04-24 21:58 . 2008-07-21 02:55 150016 ----a-w c:\windows\system32\staco.dll
2009-04-24 21:58 . 2008-07-21 02:55 1292888 ----a-w c:\windows\system32\drivers\sthda.sys
2009-04-24 21:57 . 2009-04-24 21:58 -------- d-----w c:\program files\IDT
2009-04-24 21:57 . 2008-08-07 11:14 111360 ----a-r c:\windows\system32\drivers\Rtenicxp.sys
2009-04-24 21:57 . 2008-08-07 03:38 9728 ----a-r c:\windows\system32\RtNicProp32.dll
2009-04-24 21:52 . 2009-04-25 02:21 -------- d-----w c:\windows\nview
2009-04-24 21:47 . 2007-10-12 01:40 9096 ----a-r c:\windows\system32\drivers\amdide.sys
2009-04-24 21:46 . 2009-04-24 21:46 -------- d-----w c:\windows\system32\Tools
2009-04-24 21:45 . 2006-12-26 12:31 4864 ----a-r c:\windows\system32\drivers\PortIo.sys
2009-04-17 00:02 . 2009-04-17 00:02 -------- d-s---w c:\documents and settings\Owner\UserData
2009-04-16 03:07 . 2009-04-16 03:07 325 ----a-w c:\windows\wininit.ini
2009-04-16 02:04 . 2009-04-16 02:04 -------- d-----w c:\program files\Trend Micro
2009-04-16 02:03 . 2009-04-16 22:48 -------- d-----w c:\program files\ERUNT
2009-04-16 00:33 . 2009-04-16 00:33 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{FAC88654-A131-4D8F-9250-3BF4B5675C5E}
2009-04-16 00:27 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-15 22:24 . 2009-04-15 22:24 2 ----a-w C:\-200243611
2009-04-14 03:01 . 2009-04-14 03:03 -------- d-----w c:\program files\AIM6
2009-04-12 04:52 . 2009-04-13 23:57 -------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-04-12 04:52 . 2009-04-12 15:53 -------- d-----w c:\program files\IObit
2009-04-09 05:16 . 2009-04-09 09:15 -------- d-----w C:\Jonathan_Coulton_Complete_Discography_192kbps
2009-04-04 20:21 . 2009-04-04 20:21 -------- d-----w c:\program files\Bethesda Softworks
2009-04-04 06:33 . 2009-04-04 06:33 -------- d-----w c:\program files\Common Files\DirectX
2009-04-02 21:42 . 2009-04-04 06:32 -------- d-----w c:\program files\Garena
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w C:\VertigoGames
2009-04-01 06:01 . 2009-04-01 06:26 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-01 05:53 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-01 05:53 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-01 05:50 . 2008-08-14 10:00 2180352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 05:50 . 2008-08-14 09:58 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 05:43 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 05:35 . 2009-04-01 08:05 -------- d--h--w c:\windows\$hf_mig$
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 21:25 . 2009-02-19 00:08 -------- d-----w c:\program files\Last.fm
2009-04-29 22:23 . 2009-01-18 20:51 -------- d-----w c:\documents and settings\Owner\Application Data\Winamp
2009-04-29 01:36 . 2009-02-21 07:16 -------- d-----w c:\program files\Warcraft III
2009-04-29 00:31 . 2009-02-21 07:18 77589 ----a-w c:\windows\War3Unin.dat
2009-04-28 21:11 . 2008-10-03 04:01 -------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2009-04-28 21:11 . 2008-10-03 04:01 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-04-25 02:19 . 2008-01-06 17:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-24 21:57 . 2008-01-02 23:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 21:40 . 2008-01-04 01:15 -------- d-----w c:\documents and settings\Owner\Application Data\Launchy
2009-04-18 20:40 . 2008-03-07 04:10 -------- d-----w c:\program files\Steam
2009-04-18 18:19 . 2008-03-28 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 04:37 . 2008-02-02 03:10 -------- d-----w c:\program files\PowerISO
2009-04-16 22:49 . 2008-10-15 01:39 -------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-04-16 02:46 . 2008-01-02 23:52 -------- d-----w c:\program files\Realtek AC97
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 01:55 . 2009-01-18 20:51 -------- d-----w c:\program files\Winamp
2009-04-16 00:35 . 2008-01-04 01:28 -------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-04-14 03:03 . 2008-01-20 04:20 2588 ---ha-w C:\IPH.PH
2009-04-14 03:03 . 2008-01-18 03:46 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-12 20:48 . 2008-01-04 01:28 -------- d-----w c:\program files\Xfire
2009-04-10 23:25 . 2008-09-12 02:50 -------- d-----w c:\program files\Atari
2009-04-04 19:22 . 2008-12-17 06:08 -------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2009-04-04 18:38 . 2008-12-17 06:08 -------- d-----w c:\program files\mIRC
2009-02-24 05:58 . 2008-04-18 01:02 -------- d-----w c:\program files\QuickTime
2009-02-21 07:24 . 2009-02-21 07:18 2829 ----a-w c:\windows\War3Unin.pif
2009-02-19 19:53 . 2009-02-19 19:53 -------- d-----w c:\program files\Common Files\INCA Shared
2009-02-19 00:09 . 2009-02-19 00:09 -------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2009-02-17 03:17 . 2008-01-02 23:49 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-10-20 23:21 . 2008-01-05 18:33 24880 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-01 11:15 . 2008-08-01 11:15 74864 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.
------- Sigcheck -------
[-] 2008-04-14 00:12 34304 F659C9716309655AB68765743664E36B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2004-08-04 12:00 34304 F325E0DE4F224CD049D6C75BC620B04F c:\windows\system32\svchost.exe
[-] 2004-08-04 12:00 34304 178EDD883A1119F776C54B7484F7CCD1 c:\windows\system32\dllcache\svchost.exe
[-] 2008-04-14 00:12 527872 876AF0F5AFDB8CC2C6E8CCF16BE3C234 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2008-01-02 23:46 502272 6225F14B8CE08CCBA8B25AD27843C674 c:\windows\system32\winlogon.exe
[-] 2004-08-04 12:00 1052160 4CFCEB7A1641ED7D3E6F9D55690BE1A9 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1053696 A8EA2ABBE4F64C4C7E15E34CD95EC002 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 12:00 1052160 2F9CE7162DCAC8A0B66CDB3ADDD4825F c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 00:12 35328 2C2D86746C81F82DE35E639B43DF591B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2004-08-04 12:00 35328 6D66A0810B4D0947A187799C618F0A0F c:\windows\system32\ctfmon.exe
[-] 2004-08-04 12:00 35328 135DEA5036F9EBA19FD4E5619CCC73B2 c:\windows\system32\dllcache\ctfmon.exe
[-] 2008-04-14 00:12 77824 6D6FA43A4765DDA269DFD174A7E5235D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2004-08-04 12:00 77824 6B6E8B138E4A8E91CE8D6404042D7E8D c:\windows\system32\spoolsv.exe
[-] 2004-08-04 12:00 77824 B978FB23FA8E0673D06A8C07166BC7DF c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-14 00:12 46080 AFE92A5AEC531E32BCA0FC21BF7AC1B5 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-04 12:00 44544 17EE0D9D476DE54BDAA82C40B65A4340 c:\windows\system32\userinit.exe
[-] 2004-08-04 12:00 44544 4F5F151B939E02F5312934B9EFE8947D c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-18_19.05.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 20:57 . 2009-04-18 20:57 16384 c:\windows\temp\Perflib_Perfdata_5c8.dat
- 2009-04-16 00:26 . 2009-04-18 18:57 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-16 00:26 . 2009-04-18 18:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 229376 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-16 00:26 . 2009-04-18 18:57 229376 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Gaming Mouse"="c:\program files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe" [2006-12-01 839680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 462913]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-1-3 294912]
Reboot.exe [2006-12-29 429056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 17:10 18744 ----a-w c:\windows\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\opposing force\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life blue shift\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\dystopia\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:War3
S1 aswSP;avast! Self Protection; [x]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22229d0c-2c47-11de-ba43-002197d3ca05}]
\shell\autorun\command - F:\RUNDLL32.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff94b590-b958-11dc-b694-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-28 22:08]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Vsesubitukixuyoy - c:\windows\Gxecesaz.dat
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mtgxo9p.default\
FF - prefs.js: browser.startup.homepage - www.left4dead411.com
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 16:57
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ee2caf9a]
"ImagePath"="\SystemRoot\System32\drivers\ee2caf9a.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\PCANotify.dll
- - - - - - - > 'explorer.exe'(2180)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\IDT\XPV_5902_012208\WDM\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-18 17:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 21:04
ComboFix2.txt 2009-04-18 19:06
Pre-Run: 15,406,252,032 bytes free
Post-Run: 15,447,891,968 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
374 --- E O F --- 2009-04-01 08:05
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:43 PM, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\xpv_5902_012208\wdm\STacSV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Gaming Mouse] C:\Program Files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Reboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\xpv_5902_012208\wdm\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 5233 bytes
pskelley
2009-04-18, 23:18
c:\windows\system32\userinit.exe . . . is infected!!
This is a major problem, since combofix seems to be online now, it may repair the infected file if there is a copy that is not infected on the computer. What I would like you to do is delete the copy of combofix you have and download a fresh copy from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Download it to the Desktop and double click to run it, once it has run, post the log so I can see if it repairs the infected userinit.
Thanks
The computer you have been using, is it the same operating sytem as the infected computer?
BaldingSteve
2009-04-19, 00:01
No, the computer i've been using was a mac.
pskelley
2009-04-19, 00:05
OK, see then if you can download combofix now on the computer and run it. If it finds the infected file, it will repair it IF there is a clean copy available. If not, we will need to find one elsewhere.
BaldingSteve
2009-04-19, 00:10
Looks like it still didn't fix the file. Is there a way to fix this?
ComboFix 09-04-19.01 - Owner 04/18/2009 18:02.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1581 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090418-0] *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.
2009-04-30 21:04 . 2009-04-13 02:25 -------- d-----w c:\program files\Perpetuum
2009-04-28 22:56 . 2009-04-28 22:56 -------- d-----w C:\Turok-Dinosaur Hunter
2009-04-28 19:10 . 2009-04-29 11:11 -------- d-----w C:\Jim's Big Ego
2009-04-28 19:08 . 2009-04-29 06:43 -------- d-----w C:\Da Vinci's Notebook
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\windows\system32\AGEIA
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\program files\AGEIA Technologies
2009-04-25 02:19 . 2009-02-18 18:44 212711 ----a-w c:\windows\system32\nvapps.nvb
2009-04-25 02:18 . 2009-04-25 02:18 -------- d-----w C:\NVIDIA
2009-04-24 21:58 . 2008-07-21 02:55 241719 ----a-w c:\windows\system32\stacsv.exe
2009-04-24 21:58 . 2008-07-21 02:55 2314240 ----a-w c:\windows\system32\stlang.dll
2009-04-24 21:58 . 2008-07-21 02:55 8101951 ----a-w c:\windows\system32\idtsg.cpl
2009-04-24 21:58 . 2008-07-21 02:55 462913 ----a-w c:\windows\sttray.exe
2009-04-24 21:58 . 2008-07-21 02:55 442439 ----a-w c:\windows\system32\stacapi.dll
2009-04-24 21:58 . 2008-07-21 02:55 150016 ----a-w c:\windows\system32\staco.dll
2009-04-24 21:58 . 2008-07-21 02:55 1292888 ----a-w c:\windows\system32\drivers\sthda.sys
2009-04-24 21:57 . 2009-04-24 21:58 -------- d-----w c:\program files\IDT
2009-04-24 21:57 . 2008-08-07 11:14 111360 ----a-r c:\windows\system32\drivers\Rtenicxp.sys
2009-04-24 21:57 . 2008-08-07 03:38 9728 ----a-r c:\windows\system32\RtNicProp32.dll
2009-04-24 21:52 . 2009-04-25 02:21 -------- d-----w c:\windows\nview
2009-04-24 21:47 . 2007-10-12 01:40 9096 ----a-r c:\windows\system32\drivers\amdide.sys
2009-04-24 21:46 . 2009-04-24 21:46 -------- d-----w c:\windows\system32\Tools
2009-04-24 21:45 . 2006-12-26 12:31 4864 ----a-r c:\windows\system32\drivers\PortIo.sys
2009-04-17 00:02 . 2009-04-17 00:02 -------- d-s---w c:\documents and settings\Owner\UserData
2009-04-16 03:07 . 2009-04-16 03:07 325 ----a-w c:\windows\wininit.ini
2009-04-16 02:04 . 2009-04-16 02:04 -------- d-----w c:\program files\Trend Micro
2009-04-16 02:03 . 2009-04-16 22:48 -------- d-----w c:\program files\ERUNT
2009-04-16 00:33 . 2009-04-16 00:33 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{FAC88654-A131-4D8F-9250-3BF4B5675C5E}
2009-04-16 00:27 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-15 22:24 . 2009-04-15 22:24 2 ----a-w C:\-200243611
2009-04-14 03:01 . 2009-04-14 03:03 -------- d-----w c:\program files\AIM6
2009-04-12 04:52 . 2009-04-13 23:57 -------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-04-12 04:52 . 2009-04-12 15:53 -------- d-----w c:\program files\IObit
2009-04-09 05:16 . 2009-04-09 09:15 -------- d-----w C:\Jonathan_Coulton_Complete_Discography_192kbps
2009-04-04 20:21 . 2009-04-04 20:21 -------- d-----w c:\program files\Bethesda Softworks
2009-04-04 06:33 . 2009-04-04 06:33 -------- d-----w c:\program files\Common Files\DirectX
2009-04-02 21:42 . 2009-04-04 06:32 -------- d-----w c:\program files\Garena
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w C:\VertigoGames
2009-04-01 06:01 . 2009-04-01 06:26 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-01 05:53 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-01 05:53 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-01 05:50 . 2008-08-14 10:00 2180352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 05:50 . 2008-08-14 09:58 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 05:43 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 05:35 . 2009-04-01 08:05 -------- d--h--w c:\windows\$hf_mig$
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 21:25 . 2009-02-19 00:08 -------- d-----w c:\program files\Last.fm
2009-04-29 22:23 . 2009-01-18 20:51 -------- d-----w c:\documents and settings\Owner\Application Data\Winamp
2009-04-29 01:36 . 2009-02-21 07:16 -------- d-----w c:\program files\Warcraft III
2009-04-29 00:31 . 2009-02-21 07:18 77589 ----a-w c:\windows\War3Unin.dat
2009-04-28 21:11 . 2008-10-03 04:01 -------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2009-04-28 21:11 . 2008-10-03 04:01 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-04-25 02:19 . 2008-01-06 17:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-24 21:57 . 2008-01-02 23:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 21:40 . 2008-01-04 01:15 -------- d-----w c:\documents and settings\Owner\Application Data\Launchy
2009-04-18 21:21 . 2008-03-07 04:10 -------- d-----w c:\program files\Steam
2009-04-18 18:19 . 2008-03-28 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 04:37 . 2008-02-02 03:10 -------- d-----w c:\program files\PowerISO
2009-04-16 22:49 . 2008-10-15 01:39 -------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-04-16 02:46 . 2008-01-02 23:52 -------- d-----w c:\program files\Realtek AC97
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 01:55 . 2009-01-18 20:51 -------- d-----w c:\program files\Winamp
2009-04-16 00:35 . 2008-01-04 01:28 -------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-04-14 03:03 . 2008-01-20 04:20 2588 ---ha-w C:\IPH.PH
2009-04-14 03:03 . 2008-01-18 03:46 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-12 20:48 . 2008-01-04 01:28 -------- d-----w c:\program files\Xfire
2009-04-10 23:25 . 2008-09-12 02:50 -------- d-----w c:\program files\Atari
2009-04-04 19:22 . 2008-12-17 06:08 -------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2009-04-04 18:38 . 2008-12-17 06:08 -------- d-----w c:\program files\mIRC
2009-02-24 05:58 . 2008-04-18 01:02 -------- d-----w c:\program files\QuickTime
2009-02-21 07:24 . 2009-02-21 07:18 2829 ----a-w c:\windows\War3Unin.pif
2009-02-19 19:53 . 2009-02-19 19:53 -------- d-----w c:\program files\Common Files\INCA Shared
2009-02-19 00:09 . 2009-02-19 00:09 -------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2009-02-17 03:17 . 2008-01-02 23:49 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-10-20 23:21 . 2008-01-05 18:33 24880 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-01 11:15 . 2008-08-01 11:15 74864 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.
------- Sigcheck -------
[-] 2008-04-14 00:12 34304 F659C9716309655AB68765743664E36B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2004-08-04 12:00 34304 F325E0DE4F224CD049D6C75BC620B04F c:\windows\system32\svchost.exe
[-] 2004-08-04 12:00 34304 178EDD883A1119F776C54B7484F7CCD1 c:\windows\system32\dllcache\svchost.exe
[-] 2008-04-14 00:12 527872 876AF0F5AFDB8CC2C6E8CCF16BE3C234 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2008-01-02 23:46 502272 6225F14B8CE08CCBA8B25AD27843C674 c:\windows\system32\winlogon.exe
[-] 2004-08-04 12:00 1052160 4CFCEB7A1641ED7D3E6F9D55690BE1A9 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1053696 A8EA2ABBE4F64C4C7E15E34CD95EC002 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 12:00 1052160 2F9CE7162DCAC8A0B66CDB3ADDD4825F c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 00:12 35328 2C2D86746C81F82DE35E639B43DF591B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2004-08-04 12:00 35328 6D66A0810B4D0947A187799C618F0A0F c:\windows\system32\ctfmon.exe
[-] 2004-08-04 12:00 35328 135DEA5036F9EBA19FD4E5619CCC73B2 c:\windows\system32\dllcache\ctfmon.exe
[-] 2008-04-14 00:12 77824 6D6FA43A4765DDA269DFD174A7E5235D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2004-08-04 12:00 77824 6B6E8B138E4A8E91CE8D6404042D7E8D c:\windows\system32\spoolsv.exe
[-] 2004-08-04 12:00 77824 B978FB23FA8E0673D06A8C07166BC7DF c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-14 00:12 46080 AFE92A5AEC531E32BCA0FC21BF7AC1B5 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-04 12:00 44544 17EE0D9D476DE54BDAA82C40B65A4340 c:\windows\system32\userinit.exe
[-] 2004-08-04 12:00 44544 4F5F151B939E02F5312934B9EFE8947D c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-18_19.05.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 20:57 . 2009-04-18 20:57 16384 c:\windows\temp\Perflib_Perfdata_5c8.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 59904 c:\windows\system32\dllcache\cmmon32.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 67072 c:\windows\system32\dllcache\cmdl32.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 53248 c:\windows\system32\dllcache\clipsrv.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 83968 c:\windows\system32\dllcache\cleanmgr.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 27648 c:\windows\system32\dllcache\ckcnv.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 25600 c:\windows\system32\dllcache\cisvc.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 28160 c:\windows\system32\dllcache\cidaemon.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 62543 c:\windows\system32\dllcache\chkrzm.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 31232 c:\windows\system32\dllcache\chkntfs.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 31744 c:\windows\system32\dllcache\chkdsk.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 34304 c:\windows\system32\dllcache\chgusr.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 35840 c:\windows\system32\dllcache\chgport.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 33280 c:\windows\system32\dllcache\chglogon.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 29696 c:\windows\system32\dllcache\change.exe
+ 2008-01-02 23:40 . 2004-08-04 12:00 32768 c:\windows\system32\dllcache\cb32.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 38400 c:\windows\system32\dllcache\cacls.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 25088 c:\windows\system32\dllcache\bootvrfy.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 24576 c:\windows\system32\dllcache\bootok.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 91648 c:\windows\system32\dllcache\blastcln.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 62545 c:\windows\system32\dllcache\bckgzm.exe
+ 2008-01-02 23:42 . 2003-03-24 21:52 36919 c:\windows\system32\dllcache\author.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 34304 c:\windows\system32\dllcache\auditusr.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 31232 c:\windows\system32\dllcache\attrib.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 31232 c:\windows\system32\dllcache\atmadm.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 45056 c:\windows\system32\dllcache\at.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 39424 c:\windows\system32\dllcache\arp.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 64512 c:\windows\system32\dllcache\alg.exe
+ 2008-01-02 23:42 . 2003-03-24 21:52 36919 c:\windows\system32\dllcache\admin.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 24064 c:\windows\system32\dllcache\actmovie.exe
- 2009-04-16 00:26 . 2009-04-18 18:57 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-16 00:26 . 2009-04-18 18:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-12 05:01 . 2004-08-04 12:00 97280 c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 408576 c:\windows\system32\dllcache\cmd.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 122880 c:\windows\system32\dllcache\clipbrd.exe
+ 2008-01-02 23:42 . 2004-08-04 12:00 500224 c:\windows\system32\dllcache\cintsetp.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 100352 c:\windows\system32\dllcache\charmap.exe
+ 2008-01-02 23:42 . 2003-03-24 21:52 208960 c:\windows\system32\dllcache\cfgwiz.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 134656 c:\windows\system32\dllcache\calc.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 118272 c:\windows\system32\dllcache\ahui.exe
+ 2004-08-04 12:00 . 2004-08-04 12:00 276480 c:\windows\system32\dllcache\agentsvr.exe
+ 2008-01-02 23:39 . 2004-08-04 12:00 203776 c:\windows\system32\dllcache\accwiz.exe
- 2009-04-16 00:26 . 2009-04-18 18:57 229376 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-16 00:26 . 2009-04-18 20:57 229376 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5BF49A0-94F3-42BD-F434-3604812C8955}]
2009-04-18 22:07 15000 ----a-w c:\windows\system32\zfgh83jg3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Gaming Mouse"="c:\program files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe" [2006-12-01 839680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 462913]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"<NO NAME>"="c:\windows\TEMP\lehas.exe" [2009-04-18 15001]
"Windows Resurections"="c:\windows\TEMP\lehas.exe" [2009-04-18 15001]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-1-3 294912]
Reboot.exe [2006-12-29 429056]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{D5BF49A0-94F3-42BD-F434-3604812C8955}"= "c:\windows\system32\zfgh83jg3.dll" [2009-04-18 15000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 17:10 18744 ----a-w c:\windows\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli idashemg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\opposing force\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life blue shift\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\dystopia\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:War3
S1 aswSP;avast! Self Protection; [x]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22229d0c-2c47-11de-ba43-002197d3ca05}]
\shell\autorun\command - F:\RUNDLL32.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff94b590-b958-11dc-b694-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-28 22:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mtgxo9p.default\
FF - prefs.js: browser.startup.homepage - www.left4dead411.com
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 18:06
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
? [28164]
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\PCANotify.dll
- - - - - - - > 'explorer.exe'(159236)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\zfgh83jg3.dll
.
Completion time: 2009-04-18 18:08
ComboFix-quarantined-files.txt 2009-04-18 22:08
ComboFix2.txt 2009-04-18 21:04
ComboFix3.txt 2009-04-18 19:06
Pre-Run: 15,372,091,392 bytes free
Post-Run: 15,361,716,224 bytes free
341 --- E O F --- 2009-04-01 08:05
pskelley
2009-04-19, 00:30
We have more to do but let's look at this issue first. Please make sure you can view all files and folder:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
Now navigate to that file: c:\windows\system32\userinit.exe
and scan it with one of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
post the results of that scan.
Please use Search Companion: Start > Search > All Files and Folders > Search for userinit.exe
Tell me about any locations that search reports.
Do you have a friend with the same Operating System:
Microsoft Windows XP Home Edition
who copy make a copy on a floppy or clean USB device?
I am showing 28.0 KB (28,672 bytes) but my computer is Windows XP Pro so it likely is not the same exact file.
In case I have not mentioned, a reformat of the hard drive and a new install of the operating system will also fix your problems.
BaldingSteve
2009-04-21, 05:16
It seems that all of the links you provided to free scanners are broken.
But I do know someone (with the same OS) who can make a clean copy of the userinit.exe file onto a zip drive. If I replace my userinit.exe file with theirs will it fix this?
BaldingSteve
2009-04-21, 05:21
I also searched for the userinit.exe file with the search companion and came up with these results:
userinit C:\WINDOWS\system32
userinit C:\WINDOWS\SoftwareDistribution\e9500597a78495f397efb821e37bf356
pskelley
2009-04-21, 14:14
First, let me assure you there is nothing wrong with the links I provided, the problem is your computer. To be sure you understand, I wish to be positive the userinit.exe file is infected before we replace it. Right now I am 99.9% sure it is.
Perhaps you should understand what that file does on the computer, have a look here:
http://technet.microsoft.com/en-us/library/cc939862.aspx
and the Google: http://www.google.com/search?hl=en&q=userinit.exe+&btnG=Search
Now to be sure, when you click the scan, say: http://virusscan.jotti.org/
(if it will not open, try another browser if you have one)
you will see: File to upload & scan: you need to click the Browse button and navigate to the actual file here: c:\windows\system32\userinit.exe
and the click the Submit button. Within a few minutes you will have a report I need to see. All three scans work about the same.
But I do know someone (with the same OS) who can make a clean copy of the userinit.exe file onto a zip drive. If I replace my userinit.exe file with theirs will it fix this?
First we need to be sure the file on the computer is infected, then you have to be sure it is exactly the same file you have. Then you have to be sure the .zip drive the friend is using is NOT infected. Have them insert it and use the antivirus program to scan the drive assigned to the removable media.
Then you can move the infected file on your computer to the Recycle Bin for now (can not harm you in the RB) then install the new clean file in the same spot (c:\windows\system32 <<< that folder)
I believe you will find the file on the friend's computer should be file version 5.1.2600.5512 > Userinit Logon Application > Microsoft Corporation.
Keep me posted.
BaldingSteve
2009-04-21, 15:22
If the links you provided do in fact work, then it must be the malware preventing me from accessing it. I always get the 'page load error' when I click on any of the three links.
pskelley
2009-04-21, 15:40
Watch for a private message:)
BaldingSteve
2009-04-22, 22:27
ComboFix 09-04-19.01 - Owner 04/22/2009 16:12.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1614 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090422-0] *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\reader_s.exe
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\program files\ThunMail\testabd.ex_
c:\windows\IE4 Error Log.txt
c:\windows\system32\6to4v32.dll
c:\windows\system32\at1394.sys
c:\windows\system32\ntos.exe
c:\windows\system32\reader_s.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\temp\1057692733.exe
c:\windows\temp\1147999388.exe
c:\windows\temp\1270228137.exe
c:\windows\temp\1375025589.exe
c:\windows\temp\3631064825.exe
c:\windows\temp\713231475.exe
c:\windows\temp\76845766.exe
c:\windows\temp\836983276.exe
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_AT1394
-------\Service_6to4
-------\Service_at1394
-------\Service_restore
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.
2009-04-30 21:04 . 2009-04-13 02:25 -------- d-----w c:\program files\Perpetuum
2009-04-28 22:56 . 2009-04-28 22:56 -------- d-----w C:\Turok-Dinosaur Hunter
2009-04-28 19:10 . 2009-04-29 11:11 -------- d-----w C:\Jim's Big Ego
2009-04-28 19:08 . 2009-04-29 06:43 -------- d-----w C:\Da Vinci's Notebook
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\windows\system32\AGEIA
2009-04-25 02:19 . 2009-04-25 02:19 -------- d-----w c:\program files\AGEIA Technologies
2009-04-25 02:19 . 2009-02-18 18:44 212711 ----a-w c:\windows\system32\nvapps.nvb
2009-04-25 02:18 . 2009-04-25 02:18 -------- d-----w C:\NVIDIA
2009-04-24 21:58 . 2008-07-21 02:55 241719 ----a-w c:\windows\system32\stacsv.exe
2009-04-24 21:58 . 2008-07-21 02:55 2314240 ----a-w c:\windows\system32\stlang.dll
2009-04-24 21:58 . 2008-07-21 02:55 8101951 ----a-w c:\windows\system32\idtsg.cpl
2009-04-24 21:58 . 2008-07-21 02:55 462913 ----a-w c:\windows\sttray.exe
2009-04-24 21:58 . 2008-07-21 02:55 442439 ----a-w c:\windows\system32\stacapi.dll
2009-04-24 21:58 . 2008-07-21 02:55 150016 ----a-w c:\windows\system32\staco.dll
2009-04-24 21:58 . 2008-07-21 02:55 1292888 ----a-w c:\windows\system32\drivers\sthda.sys
2009-04-24 21:57 . 2009-04-24 21:58 -------- d-----w c:\program files\IDT
2009-04-24 21:57 . 2008-08-07 11:14 111360 ----a-r c:\windows\system32\drivers\Rtenicxp.sys
2009-04-24 21:57 . 2008-08-07 03:38 9728 ----a-r c:\windows\system32\RtNicProp32.dll
2009-04-24 21:52 . 2009-04-25 02:21 -------- d-----w c:\windows\nview
2009-04-24 21:47 . 2007-10-12 01:40 9096 ----a-r c:\windows\system32\drivers\amdide.sys
2009-04-24 21:46 . 2009-04-24 21:46 -------- d-----w c:\windows\system32\Tools
2009-04-24 21:45 . 2006-12-26 12:31 4864 ----a-r c:\windows\system32\drivers\PortIo.sys
2009-04-22 19:56 . 2009-04-22 19:57 44 ----a-w c:\windows\system32\3.tmp
2009-04-22 01:56 . 2009-04-22 01:56 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-21 15:01 . 2009-04-21 15:02 -------- d-----w C:\music
2009-04-21 03:12 . 2009-04-21 03:12 80 ----a-w c:\windows\system32\2.tmp
2009-04-21 03:10 . 2009-04-20 23:24 40960 ----a-w c:\windows\system32\xz.exe
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\61.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\60.tmp
2009-04-18 22:09 . 2009-04-18 22:09 38 ----a-w C:\5F.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5E.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5D.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5C.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5B.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\5A.tmp
2009-04-18 22:09 . 2009-04-18 22:09 0 ----a-w C:\59.tmp
2009-04-18 22:09 . 2009-04-18 22:09 38 ----a-w C:\58.tmp
2009-04-18 22:09 . 2009-04-18 22:09 52736 ----a-w C:\57.tmp
2009-04-18 22:09 . 2009-04-18 22:09 15000 ----a-w c:\windows\system32\yaubfh983ind.dll
2009-04-18 22:08 . 2009-04-18 22:08 0 ----a-w c:\windows\system32\3F.tmp
2009-04-18 22:07 . 2009-04-18 22:08 84 ----a-w c:\windows\system32\3E.tmp
2009-04-18 22:07 . 2009-04-18 22:07 15000 ----a-w c:\windows\system32\zfgh83jg3.dll
2009-04-17 00:02 . 2009-04-17 00:02 -------- d-s---w c:\documents and settings\Owner\UserData
2009-04-16 03:07 . 2009-04-16 03:07 325 ----a-w c:\windows\wininit.ini
2009-04-16 02:04 . 2009-04-16 02:04 -------- d-----w c:\program files\Trend Micro
2009-04-16 02:03 . 2009-04-16 22:48 -------- d-----w c:\program files\ERUNT
2009-04-16 00:33 . 2009-04-16 00:33 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{FAC88654-A131-4D8F-9250-3BF4B5675C5E}
2009-04-16 00:27 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-15 22:24 . 2009-04-15 22:24 2 ----a-w C:\-200243611
2009-04-14 03:01 . 2009-04-14 03:03 -------- d-----w c:\program files\AIM6
2009-04-12 04:52 . 2009-04-13 23:57 -------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-04-12 04:52 . 2009-04-12 15:53 -------- d-----w c:\program files\IObit
2009-04-09 05:16 . 2009-04-09 09:15 -------- d-----w C:\Jonathan_Coulton_Complete_Discography_192kbps
2009-04-04 20:21 . 2009-04-04 20:21 -------- d-----w c:\program files\Bethesda Softworks
2009-04-04 06:33 . 2009-04-04 06:33 -------- d-----w c:\program files\Common Files\DirectX
2009-04-02 21:42 . 2009-04-04 06:32 -------- d-----w c:\program files\Garena
2009-04-02 21:39 . 2009-04-02 21:39 -------- d-----w C:\VertigoGames
2009-04-01 06:01 . 2009-04-01 06:26 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-01 05:53 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-01 05:53 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-01 05:50 . 2008-08-14 10:00 2180352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-01 05:50 . 2008-08-14 09:58 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-01 05:50 . 2008-08-14 09:22 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-01 05:43 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-01 05:35 . 2009-04-01 08:05 -------- d--h--w c:\windows\$hf_mig$
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 21:25 . 2009-02-19 00:08 -------- d-----w c:\program files\Last.fm
2009-04-29 22:23 . 2009-01-18 20:51 -------- d-----w c:\documents and settings\Owner\Application Data\Winamp
2009-04-29 01:36 . 2009-02-21 07:16 -------- d-----w c:\program files\Warcraft III
2009-04-29 00:31 . 2009-02-21 07:18 77589 ----a-w c:\windows\War3Unin.dat
2009-04-28 21:11 . 2008-10-03 04:01 -------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2009-04-28 21:11 . 2008-10-03 04:01 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-04-25 02:19 . 2008-01-06 17:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-25 00:09 . 2008-10-27 04:03 -------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-24 21:57 . 2008-01-02 23:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 21:40 . 2008-01-04 01:15 -------- d-----w c:\documents and settings\Owner\Application Data\Launchy
2009-04-22 03:51 . 2008-03-28 01:17 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-21 13:32 . 2008-03-07 04:10 -------- d-----w c:\program files\Steam
2009-04-18 22:08 . 2004-08-04 12:00 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-18 22:08 . 2008-10-15 01:39 -------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-04-17 04:37 . 2008-02-02 03:10 -------- d-----w c:\program files\PowerISO
2009-04-16 02:46 . 2008-01-02 23:52 -------- d-----w c:\program files\Realtek AC97
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 02:41 . 2008-05-06 04:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 01:55 . 2009-01-18 20:51 -------- d-----w c:\program files\Winamp
2009-04-16 00:35 . 2008-01-04 01:28 -------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-04-14 03:03 . 2008-01-20 04:20 2588 ---ha-w C:\IPH.PH
2009-04-14 03:03 . 2008-01-18 03:46 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-12 20:48 . 2008-01-04 01:28 -------- d-----w c:\program files\Xfire
2009-04-10 23:25 . 2008-09-12 02:50 -------- d-----w c:\program files\Atari
2009-04-04 19:22 . 2008-12-17 06:08 -------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2009-04-04 18:38 . 2008-12-17 06:08 -------- d-----w c:\program files\mIRC
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-02-24 05:58 . 2008-04-18 01:02 -------- d-----w c:\program files\QuickTime
2009-02-21 07:24 . 2009-02-21 07:18 2829 ----a-w c:\windows\War3Unin.pif
2009-02-17 03:17 . 2008-01-02 23:49 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2008-10-20 23:21 . 2008-01-05 18:33 24880 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-01 11:15 . 2008-08-01 11:15 74864 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.
------- Sigcheck -------
[-] 2008-04-14 00:12 34304 F659C9716309655AB68765743664E36B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2004-08-04 12:00 34304 F325E0DE4F224CD049D6C75BC620B04F c:\windows\system32\svchost.exe
[-] 2004-08-04 12:00 34304 178EDD883A1119F776C54B7484F7CCD1 c:\windows\system32\dllcache\svchost.exe
[-] 2008-04-14 00:12 527872 876AF0F5AFDB8CC2C6E8CCF16BE3C234 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2008-01-02 23:46 502272 6225F14B8CE08CCBA8B25AD27843C674 c:\windows\system32\winlogon.exe
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2009-04-18 22:08 213376 FF85EBD2AD3679254CF251136C62D764 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-18 22:08 213376 FF85EBD2AD3679254CF251136C62D764 c:\windows\system32\drivers\ndis.sys
[-] 2004-08-04 12:00 1052160 4CFCEB7A1641ED7D3E6F9D55690BE1A9 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1053696 A8EA2ABBE4F64C4C7E15E34CD95EC002 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2004-08-04 12:00 1052160 2F9CE7162DCAC8A0B66CDB3ADDD4825F c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 00:12 35328 2C2D86746C81F82DE35E639B43DF591B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2004-08-04 12:00 35328 6D66A0810B4D0947A187799C618F0A0F c:\windows\system32\ctfmon.exe
[-] 2004-08-04 12:00 35328 135DEA5036F9EBA19FD4E5619CCC73B2 c:\windows\system32\dllcache\ctfmon.exe
[-] 2008-04-14 00:12 77824 6D6FA43A4765DDA269DFD174A7E5235D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2004-08-04 12:00 77824 6B6E8B138E4A8E91CE8D6404042D7E8D c:\windows\system32\spoolsv.exe
[-] 2004-08-04 12:00 77824 B978FB23FA8E0673D06A8C07166BC7DF c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-14 00:12 46080 AFE92A5AEC531E32BCA0FC21BF7AC1B5 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-04 12:00 44544 2105A0CC37871AD13928627E252A5D01 c:\windows\system32\userinit.exe
[-] 2004-08-04 12:00 44544 4F5F151B939E02F5312934B9EFE8947D c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-04-18_22.06.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-22 01:56 . 2009-04-22 02:43 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-04-22 20:01 . 2009-04-22 20:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009042220090423\index.dat
+ 2009-04-21 04:06 . 2009-04-22 02:43 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009042120090422\index.dat
+ 2009-04-21 03:10 . 2009-04-21 03:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009042020090421\index.dat
+ 2009-04-21 03:10 . 2009-04-21 03:10 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041320090420\index.dat
- 2009-04-16 00:26 . 2009-04-18 20:57 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-16 00:26 . 2009-04-22 20:11 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-16 00:26 . 2009-04-18 20:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-16 00:26 . 2009-04-22 20:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 39148 c:\windows\system32\certstore.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 46080 c:\windows\idashemg.dll
+ 2009-04-16 00:26 . 2009-04-22 20:11 327680 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5AF42A3-94F3-42BD-F634-0604832C897D}]
2009-04-18 22:09 15000 ----a-w c:\windows\system32\yaubfh983ind.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Gaming Mouse"="c:\program files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe" [2006-12-01 839680]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-21 462913]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk.disabled [2008-10-14 911]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-1-3 294912]
Reboot.exe [2006-12-29 429056]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{D5BF49A0-94F3-42BD-F434-3604812C8955}"= "c:\windows\system32\zfgh83jg3.dll" [2009-04-18 15000]
"{A5AF42A3-94F3-42BD-F634-0604832C897D}"= "c:\windows\system32\yaubfh983ind.dll" [2009-04-18 15000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli idashemg.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\opposing force\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\half-life blue shift\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\dystopia\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\baldingsteve\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:War3
R1 iqi6bdb;iqi6bdb; [x]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 45132]
R3 XDva225;XDva225; [x]
S1 aswSP;avast! Self Protection; [x]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
--- Other Services/Drivers In Memory ---
*Deregistered* - Aavmker4
*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - aswFsBlk
*Deregistered* - aswMon2
*Deregistered* - aswSP
*Deregistered* - aswTdi
*Deregistered* - aswUpdSv
*Deregistered* - Ati HotKey Poller
*Deregistered* - ATI Smart
*Deregistered* - audstub
*Deregistered* - awecho
*Deregistered* - awlegacy
*Deregistered* - Beep
*Deregistered* - BIOS
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - Dhcp
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gernuwa
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nvatabus
*Deregistered* - NVSvc
*Deregistered* - NVTCP
*Deregistered* - PartMgr
*Deregistered* - PCIIde
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SCDEmu
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - sr
*Deregistered* - Srv
*Deregistered* - STacSV
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - wuauserv
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22229d0c-2c47-11de-ba43-002197d3ca05}]
\shell\autorun\command - F:\RUNDLL32.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff94b590-b958-11dc-b694-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
2009-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-28 22:08]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\619967451.exe
HKU-Default-Run-reader_s - c:\documents and settings\Owner\reader_s.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/puccini/start
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mtgxo9p.default\
FF - prefs.js: browser.startup.homepage - www.left4dead411.com/forums
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 16:19
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\6to4]
"ServiceDll"="c:\windows\system32\6to4v32.dll"
--
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\at1394]
"ImagePath"="\??\c:\windows\system32\at1394.sys"
--
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\restore]
"ImagePath"="\??\c:\windows\system32\drivers\restore.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(760)
c:\windows\idashemg.dll
- - - - - - - > 'explorer.exe'(620)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\idashemg.dll
c:\windows\system32\zfgh83jg3.dll
c:\windows\system32\yaubfh983ind.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-22 16:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 20:25
ComboFix2.txt 2009-04-18 22:08
ComboFix3.txt 2009-04-18 21:04
ComboFix4.txt 2009-04-18 19:06
Pre-Run: 15,434,309,632 bytes free
Post-Run: 15,427,239,936 bytes free
465 --- E O F --- 2009-04-01 08:05
And I wasn't sure if you wanted another HJT log, so I included one.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:00 PM, on 4/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN2.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\yaubfh983ind.dll - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll
O2 - BHO: C:\WINDOWS\system32\zfgh83jg3.dll - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Gaming Mouse] C:\Program Files\Cyber Snipa S.W.A.T. Mouse\S.W.A.T. Mouse.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - S-1-5-21-796845957-1409082233-839522115-1003 Startup: OpenOffice.org 2.4.lnk.disabled (User '?')
O4 - Startup: OpenOffice.org 2.4.lnk.disabled
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Reboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O22 - SharedTaskScheduler: as3iur98wajkef3wgf3 - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\xpv_5902_012208\wdm\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 5638 bytes
pskelley
2009-04-22, 22:38
This machine needs to be formatted.
This system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.
Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.
Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.
Recent variants also modify htm, html, asp and php files.
Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.
See miekiemoes' blog for similar comments here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
Information Links
http://free.avg.com/66558
http://www.avast.com/eng/win32-virut.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=66586
http://securitywatch.eweek.com/exploits_and_attacks/virut_delivers_polymorphic_punch.html
:sad:
BaldingSteve
2009-04-22, 22:43
Oh great. Well I guess there's no denying it then, I'll just have to format.
Thanks for your help.