View Full Version : Windows Security Centre Malware
boxman498
2010-04-09, 05:26
I have the Signs of Malware and have read the "Before you Post" thread. I have also reviewed a number of other threads that seem to be very similar to what I am experiencing.
I have a personal computer that appears to have the Windows Security Centre malware (Windows Security Centre pop-ups, disabled Malwarebytes Anti-Malware, constant re-directs to other websites).
I did a couple of computer scans using Norton. The problems persisted and I then had no luck with the System Restore (after the first attempt, I was unable to do a System Restore at all).
Can someone please help?
Here is my Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:01 PM, on 08/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\LClock\LClock.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
G:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\jeff\Local Settings\Application Data\vma.exe
C:\Program Files\Logitech\Z Cinema\Z Cinema.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\ASUS.SYS\config\DVMExportService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] G:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Startup: Z Cinema.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250450003546
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - G:\Program Files\QuickTax 2008\ic2008pp.dll
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - G:\QuickTax 2009\ic2009pp.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM - C:\ASUS.SYS\config\DVMExportService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 10020 bytes
Hi boxman498
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
boxman498
2010-04-12, 00:53
Hello Shaba,
Here is the result from the scan.
Thanks.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-11 17:51:59
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\jeff\LOCALS~1\Temp\kgwyrfod.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB7F21794]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5B65380, 0x3DEB95, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1244] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1244] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1244] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1244] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01F7000A
.text C:\WINDOWS\System32\svchost.exe[1244] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01F6000A
.text C:\WINDOWS\Explorer.EXE[1872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A75FCA1
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
boxman498
2010-04-14, 02:54
Hello Shaba,
Thanks for your help so far.
I have ComboFix on my desktop and have tried to run it, however I am now getting a "Security Warning" coming up instead which states the vma.exe file is infected and asks if I want to activate the antivirus software.
Any ideas?
Thanks,
Yes vma.exe is infected for sure.
Please run combofix in safe mode.
boxman498
2010-04-14, 23:33
Thank you again Shabba for your help.
Combo Fix did work in Safe Mode and after re-starting, things seem to be running normally.
Here are the logs:
Combo Fix:
ComboFix 10-04-13.04 - Administrator 14/04/2010 15:49:38.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3224 [GMT -4:00]
Running from: D:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\jeff\Local Settings\Application Data\{F6CC1FE1-F3C8-468D-9EAE-41BEA4FBB2B7}
c:\documents and settings\jeff\Local Settings\Application Data\{F6CC1FE1-F3C8-468D-9EAE-41BEA4FBB2B7}\chrome\content\_cfg.js
c:\documents and settings\jeff\Local Settings\Application Data\{F6CC1FE1-F3C8-468D-9EAE-41BEA4FBB2B7}\chrome\content\overlay.xul
c:\documents and settings\jeff\Local Settings\Application Data\{F6CC1FE1-F3C8-468D-9EAE-41BEA4FBB2B7}\install.rdf
c:\documents and settings\jeff\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe
c:\documents and settings\jeff\Local Settings\Application Data\vma.exe
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\0wEcYe.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\1317RV4I.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\1O0uv5Y.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\2hBn8o.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\2V8L2.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\356Wk1RO.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\3FFtT83PE.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\3ivRRb.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\4112gPUL.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\483ut0.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\4pt6x2wm7.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\5hLtDu.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\87y8UR1M.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\8lHRo8.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\8xI86asE.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\cNy7J.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\cRjlQ5.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\f77RfG.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\g7F0x18c.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\gK4ueP.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\H3fUklXQD.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\JeI0t.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\lBv44GV.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\M8OGY.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\MBR6ms43.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\MnUK1xru.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\pog44j875.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\riwT4gfr.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\s623B1YQO.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\se87vof7S.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\tgorm0i2.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\V7f8Gjtn.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\Vr8l2JCid.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\wJud4.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\Xe54s.jpg
c:\documents and settings\jeff\Local Settings\Temporary Internet Files\Y2r0iD14K.jpg
c:\windows\system32\ATHPRXY(2).DLL
c:\windows\system32\VB6KO.DLL
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
.
2010-04-14 14:01 . 2010-04-14 14:01 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-12 01:03 . 2010-04-12 01:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\pexrddybq
2010-04-07 02:55 . 2010-04-07 02:55 -------- d-----w- c:\program files\Trend Micro
2010-04-07 02:54 . 2010-04-07 02:54 -------- d-----w- c:\program files\ERUNT
2010-04-04 17:18 . 2010-04-04 17:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-04-04 17:18 . 2010-04-04 17:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-04 17:09 . 2010-04-04 17:18 -------- d-----w- c:\windows\system32\wbem\Repository.tmp
2010-04-04 16:58 . 2010-04-04 17:09 -------- d-----w- c:\windows\system32\wbem\Repository(3).tmp
2010-04-04 16:44 . 2010-04-04 16:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\URSoft
2010-04-04 14:10 . 2010-04-04 17:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-04-04 14:07 . 2010-04-04 14:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-04-04 12:38 . 2010-04-04 12:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-04 12:38 . 2010-04-04 12:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-04 12:37 . 2010-04-14 14:01 -------- d-s---w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-04-04 12:37 . 2010-04-14 14:01 -------- d-----w- c:\documents and settings\Administrator
2010-04-04 04:16 . 2010-04-12 01:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-04 03:48 . 2010-04-13 23:49 197120 --sha-w- c:\documents and settings\jeff\Local Settings\Application Data\2554285925.dll
2010-04-03 21:42 . 2010-04-04 17:19 -------- d-----w- c:\documents and settings\jeff\Local Settings\Application Data\Symantec
2010-04-03 21:41 . 2001-09-24 11:59 57696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-03 21:41 . 2001-09-24 11:59 4032 ----a-w- c:\windows\system32\SYMEVNT1.DLL
2010-04-03 21:41 . 2001-09-24 11:59 36864 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-03 21:41 . 2010-04-04 17:19 -------- d-----w- c:\program files\NavNT
2010-04-02 08:55 . 2010-04-02 08:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 04:06 . 2010-04-04 16:58 -------- d-----w- c:\windows\system32\wbem\Repository(2).tmp
2010-04-02 02:15 . 2010-04-02 04:02 -------- d-----w- c:\program files\NavNT(2)
2010-04-01 02:33 . 2010-04-02 04:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-04-01 01:53 . 2010-04-01 01:53 120 ----a-w- c:\windows\Rzomil.dat
2010-04-01 01:53 . 2010-04-01 01:53 0 ----a-w- c:\windows\Bdiceq.bin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 19:41 . 2009-08-16 23:55 -------- d-----w- c:\program files\lg_fwupdate
2010-04-10 21:40 . 2009-08-22 03:46 137200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-10 21:40 . 2009-08-22 03:46 215152 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-10 03:10 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-10 03:10 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-04-07 02:26 . 2010-03-06 21:13 -------- d-----w- c:\documents and settings\jeff\Application Data\XTrackCad
2010-04-04 17:19 . 2009-08-16 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-04 17:19 . 2009-08-16 12:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-04 17:17 . 2009-08-16 12:19 -------- d-----w- c:\program files\Symantec
2010-04-04 16:44 . 2009-08-16 12:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-02 04:08 . 2009-08-17 00:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 04:03 . 2009-10-16 13:48 -------- d-----w- c:\program files\iTunes
2010-04-02 04:03 . 2009-10-16 13:48 -------- d-----w- c:\program files\QuickTime
2010-04-02 04:03 . 2009-08-16 04:06 -------- d-----w- c:\program files\LClock
2010-04-02 03:55 . 2010-04-02 03:59 171392 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-04-01 01:52 . 2010-03-30 20:35 112 ----a-w- c:\documents and settings\All Users\Application Data\nO0A78.dat
2010-04-01 01:52 . 2010-04-01 01:52 65026 ----a-w- c:\windows\Fonts\TB0wo.com_
2010-03-27 02:07 . 2009-08-17 11:57 -------- d-----w- c:\documents and settings\jeff\Application Data\LimeWire
2010-03-07 05:59 . 2009-08-16 18:47 29024 ----a-w- c:\documents and settings\jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 21:46 . 2010-03-06 21:30 -------- d-----w- c:\documents and settings\jeff\Application Data\Intuit Canada
2010-03-06 21:46 . 2010-03-06 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit Canada
2010-03-06 21:30 . 2010-03-06 21:30 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-03-06 21:30 . 2010-03-06 21:30 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-28 06:18 . 2009-08-17 11:16 -------- d-----w- c:\documents and settings\jeff\Application Data\uTorrent
2010-02-27 06:59 . 2010-02-27 06:39 -------- d-----w- c:\program files\Ask.com
2010-02-27 06:39 . 2010-02-27 06:39 -------- d-----w- c:\program files\Common Files\SourceTec
2010-02-25 06:24 . 2008-06-19 20:42 916480 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"IE7-10"="advpack.dll" [2009-03-08 128512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2009-03-28 1431040]
"QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2009-03-09 598528]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-16 122368]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2009-03-10 570664]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-10-01 548864]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-03-16 210216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"PWRISOVM.EXE"="g:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
c:\documents and settings\jeff\Start Menu\Programs\Startup\
Styler.lnk - c:\documents and settings\jeff\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-8-16 15086]
Z Cinema.lnk - c:\documents and settings\jeff\Application Data\Microsoft\Installer\{EE885042-228A-446F-A30D-64ECBDC93859}\StartupShortcut_EE885042228A446FA30D64ECBDC93859.exe [2009-8-27 172032]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\Program Files\\ATCS Monitor\\atcsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
S2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [01/12/2008 6:33 PM 323584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 1:17 AM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [16/08/2009 8:21 PM 269648]
S3 .ne.nec;.ne.nec; [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [16/08/2009 8:21 PM 19160]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [16/08/2009 2:43 PM 39456]
S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [21/04/2007 10:15 AM 9344]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [09/01/2010 11:23 AM 17792]
S3 ZCinema_TSHD;ZCinema TruSurround HD driver;c:\windows\system32\drivers\ZCinema_SRS_i386.sys [27/08/2009 9:37 PM 21392]
.
Contents of the 'Scheduled Tasks' folder
2010-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:17]
2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:17]
2010-04-12 c:\windows\Tasks\Malwarebytes' Scheduled Scan for jeff.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-17 19:53]
2010-04-12 c:\windows\Tasks\Malwarebytes' Scheduled Update for jeff.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-17 19:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
AddRemove-Free Audio CD Burner_is1 - c:\program files\DVDVideoSoft\Free Audio CD Burner\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 15:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1454471165-1035525444-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,82,a7,5c,89,a5,8e,3e,4d,94,73,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,82,a7,5c,89,a5,8e,3e,4d,94,73,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\NavLogon.dll
.
Completion time: 2010-04-14 15:55:51
ComboFix-quarantined-files.txt 2010-04-14 19:55
Pre-Run: 483,183,910,912 bytes free
Post-Run: 484,151,721,984 bytes free
- - End Of File - - F8F9167FEEAFC62BFC2162FDCE2E8331
Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:29 PM, on 14/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LClock\LClock.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Logitech\Z Cinema\Z Cinema.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\ASUS.SYS\config\DVMExportService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] G:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Startup: Z Cinema.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250450003546
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - G:\Program Files\QuickTax 2008\ic2008pp.dll
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - G:\QuickTax 2009\ic2009pp.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM - C:\ASUS.SYS\config\DVMExportService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 8831 bytes
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\pexrddybq
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
boxman498
2010-04-16, 05:44
Hello Shaba,
Here is result of CFScript Scan:
ComboFix 10-04-14.04 - Administrator 15/04/2010 22:23:20.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3318 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.
2010-04-14 20:04 . 2010-04-14 20:04 -------- d-----w- c:\windows\system32\xircom
2010-04-14 20:04 . 2010-04-14 20:04 -------- d-----w- c:\windows\system32\wbem\snmp
2010-04-14 20:04 . 2010-04-14 20:04 -------- d-----w- c:\program files\microsoft frontpage
2010-04-14 19:59 . 2010-04-14 19:59 29024 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-14 19:59 . 2010-04-14 19:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nero
2010-04-04 17:19 . 2010-04-04 17:19 -------- d-----w- c:\documents and settings\Administrator\7zS1FE1.tmp
2010-04-04 17:19 . 2010-04-04 17:19 -------- d-----w- c:\documents and settings\Administrator\7zS1FDC.tmp
2010-04-04 17:19 . 2010-04-04 17:19 -------- d-----w- c:\documents and settings\Administrator\7zS1FD4.tmp
2010-04-04 14:07 . 2010-04-04 14:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-04-04 12:38 . 2010-04-04 12:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-04 12:38 . 2010-04-04 12:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-04 12:37 . 2010-04-14 14:01 -------- d-s---w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-04-04 12:37 . 2010-04-14 14:01 -------- d-----w- c:\documents and settings\Administrator
2010-04-04 04:16 . 2010-04-12 01:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-04 03:48 . 2010-04-13 23:49 197120 --sha-w- c:\documents and settings\jeff\Local Settings\Application Data\2554285925.dll
2010-04-03 21:42 . 2010-04-04 17:19 -------- d-----w- c:\documents and settings\jeff\Local Settings\Application Data\Symantec
2010-04-03 21:41 . 2001-09-24 11:59 57696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-03 21:41 . 2001-09-24 11:59 4032 ----a-w- c:\windows\system32\SYMEVNT1.DLL
2010-04-03 21:41 . 2001-09-24 11:59 36864 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-03 21:41 . 2010-04-04 17:19 -------- d-----w- c:\program files\NavNT
2010-04-02 08:55 . 2010-04-02 08:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 04:06 . 2010-04-04 16:58 -------- d-----w- c:\windows\system32\wbem\Repository(2).tmp
2010-04-02 02:15 . 2010-04-02 04:02 -------- d-----w- c:\program files\NavNT(2)
2010-04-01 02:33 . 2010-04-02 04:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-04-01 01:53 . 2010-04-01 01:53 120 ----a-w- c:\windows\Rzomil.dat
2010-04-01 01:53 . 2010-04-01 01:53 0 ----a-w- c:\windows\Bdiceq.bin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 23:45 . 2009-08-16 23:55 -------- d-----w- c:\program files\lg_fwupdate
2010-04-10 21:40 . 2009-08-22 03:46 137200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-10 21:40 . 2009-08-22 03:46 215152 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-10 03:10 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-04-10 03:10 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-07 02:55 . 2010-04-07 02:55 -------- d-----w- c:\program files\Trend Micro
2010-04-07 02:54 . 2010-04-07 02:54 -------- d-----w- c:\program files\ERUNT
2010-04-07 02:26 . 2010-03-06 21:13 -------- d-----w- c:\documents and settings\jeff\Application Data\XTrackCad
2010-04-04 17:19 . 2009-08-16 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-04 17:19 . 2009-08-16 12:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-04 17:17 . 2009-08-16 12:19 -------- d-----w- c:\program files\Symantec
2010-04-04 16:44 . 2009-08-16 12:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-04 16:44 . 2010-04-04 16:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\URSoft
2010-04-02 04:08 . 2009-08-17 00:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 04:03 . 2009-10-16 13:48 -------- d-----w- c:\program files\iTunes
2010-04-02 04:03 . 2009-10-16 13:48 -------- d-----w- c:\program files\QuickTime
2010-04-02 04:03 . 2009-08-16 04:06 -------- d-----w- c:\program files\LClock
2010-04-02 03:55 . 2010-04-02 03:59 171392 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-04-01 01:52 . 2010-03-30 20:35 112 ----a-w- c:\documents and settings\All Users\Application Data\nO0A78.dat
2010-04-01 01:52 . 2010-04-01 01:52 65026 ----a-w- c:\windows\Fonts\TB0wo.com_
2010-03-27 02:07 . 2009-08-17 11:57 -------- d-----w- c:\documents and settings\jeff\Application Data\LimeWire
2010-03-07 05:59 . 2009-08-16 18:47 29024 ----a-w- c:\documents and settings\jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 21:46 . 2010-03-06 21:30 -------- d-----w- c:\documents and settings\jeff\Application Data\Intuit Canada
2010-03-06 21:46 . 2010-03-06 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit Canada
2010-03-06 21:30 . 2010-03-06 21:30 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-03-06 21:30 . 2010-03-06 21:30 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-28 06:18 . 2009-08-17 11:16 -------- d-----w- c:\documents and settings\jeff\Application Data\uTorrent
2010-02-27 06:59 . 2010-02-27 06:39 -------- d-----w- c:\program files\Ask.com
2010-02-27 06:39 . 2010-02-27 06:39 -------- d-----w- c:\program files\Common Files\SourceTec
2010-02-25 06:24 . 2008-06-19 20:42 916480 ------w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-04-14_19.55.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 12:00 . 2010-04-14 19:52 71060 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-04-16 02:20 71060 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-04-16 02:20 441124 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-04-14 19:52 441124 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"IE7-10"="advpack.dll" [2009-03-08 128512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2009-03-28 1431040]
"QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2009-03-09 598528]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-16 122368]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2009-03-10 570664]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-10-01 548864]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-03-16 210216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"PWRISOVM.EXE"="g:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
c:\documents and settings\jeff\Start Menu\Programs\Startup\
Styler.lnk - c:\documents and settings\jeff\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-8-16 15086]
Z Cinema.lnk - c:\documents and settings\jeff\Application Data\Microsoft\Installer\{EE885042-228A-446F-A30D-64ECBDC93859}\StartupShortcut_EE885042228A446FA30D64ECBDC93859.exe [2009-8-27 172032]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\Program Files\\ATCS Monitor\\atcsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
S2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [01/12/2008 6:33 PM 323584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 1:17 AM 135664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [16/08/2009 8:21 PM 269648]
S3 .ne.nec;.ne.nec; [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [16/08/2009 8:21 PM 19160]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [16/08/2009 2:43 PM 39456]
S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [21/04/2007 10:15 AM 9344]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [09/01/2010 11:23 AM 17792]
S3 ZCinema_TSHD;ZCinema TruSurround HD driver;c:\windows\system32\drivers\ZCinema_SRS_i386.sys [27/08/2009 9:37 PM 21392]
.
Contents of the 'Scheduled Tasks' folder
2010-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:17]
2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:17]
2010-04-16 c:\windows\Tasks\Malwarebytes' Scheduled Scan for jeff.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-17 19:53]
2010-04-16 c:\windows\Tasks\Malwarebytes' Scheduled Update for jeff.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-08-17 19:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 22:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1454471165-1035525444-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,82,a7,5c,89,a5,8e,3e,4d,94,73,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,82,a7,5c,89,a5,8e,3e,4d,94,73,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\NavLogon.dll
- - - - - - - > 'explorer.exe'(1452)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-15 22:28:50
ComboFix-quarantined-files.txt 2010-04-16 02:28
ComboFix2.txt 2010-04-14 19:55
Pre-Run: 484,118,867,968 bytes free
Post-Run: 484,087,926,784 bytes free
- - End Of File - - BDE238583508FBC7E1D3E179E4EC2A20
I'm very sorry about delayed reply but I never got email notification.
Did you include Folder:: as well to CFScript?