Re: Need Help with HJT Log
Okay, combofix log below.
Additional note: My nephew tried running Symantec's Fixvundo a second time, (I didn't find that out until he'd already done it) and it looks like it may have removed the Vundo. But one of the current Spyware tools we installed is now reporting PurityScan as present.
thanks again for the help.
ComboFix 07-12-31.4 - Cheshire Cat 2008-01-06 6:53:15.3 - NTFSx86 MINIMAL
Running from: C:\Regular Random Crap\compooter safteh\ComboFix(2).exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Cheshire Cat\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Cheshire Cat\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Cheshire Cat\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\QdrModule11 .exe
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.
2008-01-06 06:35 . 2008-01-06 06:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Program Files\Webroot
2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\Cheshire Cat\Application Data\Webroot
2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-04 05:31 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-01-04 05:31 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-04 05:31 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-04 05:31 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-04 05:31 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-03 21:26 . 2008-01-03 21:36 <DIR> d-------- C:\VundoFix Backups
2007-12-31 22:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 16:47 . 2007-03-09 00:02 919,280 --a------ C:\notwhatyouwant.exe
2007-12-31 13:57 . 2007-12-31 13:58 <DIR> d-------- C:\Die vundo die
2007-12-31 00:23 . 2007-12-31 00:24 14,651,520 --a------ C:\ssftrialsnrsetup1_23282812.exe
2007-12-30 22:20 . 2007-12-30 22:21 194 --a------ C:\WINDOWS\wininit.ini
2007-12-30 21:59 . 2007-12-31 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 07:46 . 2008-01-01 16:22 <DIR> d-------- C:\Documents and Settings\Uhanimar\Application Data\AVG7
2007-12-29 04:39 . 2007-12-29 04:39 <DIR> d-------- C:\Program Files\RADVideo
2007-12-28 21:08 . 2007-12-28 21:08 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-28 00:32 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-28 00:32 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-28 00:32 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-28 00:32 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-27 22:53 . 2008-01-04 20:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 22:53 . 2007-12-27 22:53 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 20:38 . 2007-12-27 20:38 <DIR> d-------- C:\Program Files\Metaboli Downloader
2007-12-22 17:02 . 2007-12-23 09:10 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2007-12-22 17:02 . 2007-12-23 09:10 41,984 --a------ C:\WINDOWS\CTRegRun .EXE
2007-12-18 23:17 . 2007-12-28 00:36 <DIR> d-------- C:\Program Files\The Witcher Demo
2007-12-16 22:37 . 2007-12-16 22:55 <DIR> d-------- C:\Games
2007-12-09 07:29 . 2007-12-09 07:29 <DIR> d-------- C:\Program Files\NifTools
2007-12-07 18:18 . 2007-12-07 18:20 <DIR> d-------- C:\Daggermid
2007-12-06 13:29 . 2007-12-08 16:12 <DIR> d-------- C:\Program Files\Daggerfall Jukebox
2007-12-06 13:22 . 2007-12-07 18:17 <DIR> d-------- C:\Renabled
2007-12-06 00:16 . 2007-12-06 00:16 19,835 --a------ C:\hollyking.jpg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 07:10 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\AVG7
2007-12-30 20:59 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Bioshock
2007-12-30 06:46 --------- d-----w C:\Program Files\Paint Shop Pro 5
2007-12-28 05:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 08:14 --------- d-----w C:\Program Files\Steam
2007-12-23 22:47 --------- d-----w C:\Program Files\QuickTime
2007-12-15 22:49 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\LimeWire
2007-12-12 22:22 --------- d-----w C:\Program Files\DOSBox-0.63
2007-12-10 21:25 --------- d-----w C:\Program Files\Bethesda Softworks
2007-12-03 22:04 --------- d-----w C:\Program Files\Diablo II
2007-12-03 21:42 --------- d-----w C:\Program Files\Microsoft Games
2007-11-30 23:51 --------- d-----w C:\Program Files\ReflexiveArcade
2007-11-29 03:42 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-28 08:55 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-11-27 01:17 --------- d-----w C:\Program Files\VSTPlugins
2007-11-26 23:01 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Steinberg
2007-11-26 22:59 --------- d-----w C:\Program Files\Steinberg
2007-11-26 22:57 --------- d-----w C:\Program Files\Pinnacle
2007-11-26 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2007-11-26 11:03 --------- d-----w C:\Program Files\Tomb Raider - Legend Demo
2007-11-25 09:18 --------- d-----w C:\Program Files\UT2004Demo
2007-11-25 08:50 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-18 16:33 --------- d-----w C:\Program Files\Winamp
2007-11-06 12:43 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\AccurateRip
2007-11-03 03:10 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-11-03 03:10 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-11-02 03:59 42 ----a-w C:\Program Files\Common Files\appop.log
2007-10-24 04:53 6,532,138 ----a-w C:\DBProto_20071023.zip
2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-11 22:01 266,508 ----a-w C:\x0xb0x26_Panel.zip
2007-09-07 00:00 101,200 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_06_19_58_33_small.dmp.zip
2007-08-02 14:06 20,256,064 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-03-09 10:07 1 ----a-w C:\Documents and Settings\Cheshire Cat\SI.bin
.
Code:
----a-w 313,472 2007-12-23 14:10:12 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 106,496 2007-12-23 14:09:57 C:\Program Files\AMD\amd_dc_opt\amd_dc_opt .exe
----a-w 185,632 2007-12-23 14:10:02 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 49,152 2007-12-23 14:10:08 C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
----a-w 122,880 2007-12-23 14:10:07 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe
----a-w 32,768 2007-12-23 14:10:05 C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w 579,072 2007-12-23 14:10:11 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 270,336 2007-12-23 14:09:57 C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr .exe
----a-w 299,008 2007-12-22 22:02:42 C:\Program Files\InterVideo\Disc Master 2.5\DirectCD .exe
----a-w 132,496 2007-12-23 14:09:58 C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w 1,694,208 2007-12-23 14:10:12 C:\Program Files\Messenger\msmsgs .exe
----a-w 1,003,520 2007-12-23 14:10:05 C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control .exe
----a-w 41,984 2007-12-23 14:10:07 C:\WINDOWS\CTRegRun .EXE
----a-w 90,112 2007-12-23 14:10:02 C:\WINDOWS\UpdReg .EXE
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4695AAAF-0803-4CBF-A34D-FDAE34F2DBD2}]
C:\WINDOWS\system32\mlljk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"FIREBOX"="C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe" [ ]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02 919280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 11:49 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuss]
cbxuuss.dll
R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 05:29]
R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-27 13:24]
S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 01:09]
S3 MySqlMain;MySqlMain;C:\DEVEL\MYSQL\BIN\MYSQLD MySqlMain []
S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys [2004-10-14 17:33]
S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys [2004-10-14 17:33]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 21:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-04 10:31:27 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 06:59:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-01-06 7:01:14
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-06 12:00:24
.
2007-06-26 09:23:06 --- E O F ---
Re: new ComboFix log, part 1
The new log exceeds the forum limits, so I'm going to try posting it in two sections.
thanks.
Part I:
ComboFix 08-01-07.5 - Cheshire Cat 2008-01-08 6:20:14.9 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1761 [GMT -5:00]
Running from: C:\Regular Random Crap\compooter safteh\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.
2008-01-07 05:35 . 2008-01-08 06:18 2,680,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-07 05:35 . 2008-01-08 06:18 32,492 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-06 06:35 . 2008-01-06 06:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Program Files\Webroot
2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\Cheshire Cat\Application Data\Webroot
2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-04 05:31 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-01-04 05:31 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-04 05:31 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-04 05:31 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-04 05:31 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-03 21:26 . 2008-01-03 21:36 <DIR> d-------- C:\VundoFix Backups
2007-12-31 22:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 16:47 . 2007-03-09 00:02 919,280 --a------ C:\notwhatyouwant.exe
2007-12-31 13:57 . 2007-12-31 13:58 <DIR> d-------- C:\Die vundo die
2007-12-31 00:23 . 2007-12-31 00:24 14,651,520 --a------ C:\ssftrialsnrsetup1_23282812.exe
2007-12-30 22:20 . 2007-12-30 22:21 194 --a------ C:\WINDOWS\wininit.ini
2007-12-30 21:59 . 2007-12-31 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 07:46 . 2008-01-01 16:22 <DIR> d-------- C:\Documents and Settings\Uhanimar\Application Data\AVG7
2007-12-29 04:39 . 2007-12-29 04:39 <DIR> d-------- C:\Program Files\RADVideo
2007-12-28 21:08 . 2007-12-28 21:08 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-28 00:32 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-28 00:32 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-28 00:32 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-28 00:32 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-27 22:53 . 2008-01-04 20:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-27 22:53 . 2007-12-27 22:53 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 20:38 . 2007-12-27 20:38 <DIR> d-------- C:\Program Files\Metaboli Downloader
2007-12-22 17:02 . 2007-12-23 09:10 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2007-12-22 17:02 . 2007-12-23 09:10 41,984 --a------ C:\WINDOWS\CTRegRun .EXE
2007-12-18 23:17 . 2007-12-28 00:36 <DIR> d-------- C:\Program Files\The Witcher Demo
2007-12-16 22:37 . 2007-12-16 22:55 <DIR> d-------- C:\Games
2007-12-09 07:29 . 2007-12-09 07:29 <DIR> d-------- C:\Program Files\NifTools
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 01:39 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\AVG7
2008-01-07 20:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 10:40 116,282 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_07_05_34_16_small.dmp.zip
2007-12-30 20:59 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Bioshock
2007-12-30 06:46 --------- d-----w C:\Program Files\Paint Shop Pro 5
2007-12-28 05:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 08:14 --------- d-----w C:\Program Files\Steam
2007-12-23 22:47 --------- d-----w C:\Program Files\QuickTime
2007-12-15 22:49 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\LimeWire
2007-12-12 22:22 --------- d-----w C:\Program Files\DOSBox-0.63
2007-12-10 21:25 --------- d-----w C:\Program Files\Bethesda Softworks
2007-12-08 21:12 --------- d-----w C:\Program Files\Daggerfall Jukebox
2007-12-03 22:04 --------- d-----w C:\Program Files\Diablo II
2007-12-03 21:42 --------- d-----w C:\Program Files\Microsoft Games
2007-11-30 23:51 --------- d-----w C:\Program Files\ReflexiveArcade
2007-11-29 03:42 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-28 08:55 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-11-27 01:17 --------- d-----w C:\Program Files\VSTPlugins
2007-11-26 23:01 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Steinberg
2007-11-26 22:59 --------- d-----w C:\Program Files\Steinberg
2007-11-26 22:57 --------- d-----w C:\Program Files\Pinnacle
2007-11-26 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2007-11-26 11:03 --------- d-----w C:\Program Files\Tomb Raider - Legend Demo
2007-11-25 09:18 --------- d-----w C:\Program Files\UT2004Demo
2007-11-25 08:50 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-18 16:33 --------- d-----w C:\Program Files\Winamp
2007-11-14 21:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-03 03:10 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-11-03 03:10 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-11-02 03:59 42 ----a-w C:\Program Files\Common Files\appop.log
2007-10-24 04:53 6,532,138 ----a-w C:\DBProto_20071023.zip
2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-11 22:01 266,508 ----a-w C:\x0xb0x26_Panel.zip
2007-09-07 00:00 101,200 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_06_19_58_33_small.dmp.zip
2007-08-02 14:06 20,256,064 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-03-09 10:07 1 ----a-w C:\Documents and Settings\Cheshire Cat\SI.bin
.
Code:
<pre>
----a-w 313,472 2007-12-23 14:10:12 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 106,496 2007-12-23 14:09:57 C:\Program Files\AMD\amd_dc_opt\amd_dc_opt .exe
----a-w 185,632 2007-12-23 14:10:02 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 49,152 2007-12-23 14:10:08 C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
----a-w 122,880 2007-12-23 14:10:07 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe
----a-w 32,768 2007-12-23 14:10:05 C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w 579,072 2007-12-23 14:10:11 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 270,336 2007-12-23 14:09:57 C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr .exe
----a-w 299,008 2007-12-22 22:02:42 C:\Program Files\InterVideo\Disc Master 2.5\DirectCD .exe
----a-w 132,496 2007-12-23 14:09:58 C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w 1,694,208 2007-12-23 14:10:12 C:\Program Files\Messenger\msmsgs .exe
----a-w 1,003,520 2007-12-23 14:10:05 C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control .exe
----a-w 41,984 2007-12-23 14:10:07 C:\WINDOWS\CTRegRun .EXE
----a-w 90,112 2007-12-23 14:10:02 C:\WINDOWS\UpdReg .EXE
</pre>
((((((((((((((((((((((((((((( snapshot@2008-01-06_ 6.59.43.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-29 14:32:16 186,608 ----a-w C:\WINDOWS\system32\000050.exe
+ 2007-07-19 20:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys
- 2007-03-09 05:01:24 83,696 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2007-11-14 21:04:52 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
- 2007-03-09 05:02:10 394,192 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2007-11-14 21:05:16 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
- 2007-03-09 05:01:24 157,424 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2007-11-14 21:04:52 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
- 2007-03-09 05:01:26 104,176 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2007-11-14 21:04:52 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
- 2007-03-09 05:01:26 276,208 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-11-14 21:04:52 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
- 2007-03-09 05:01:26 71,408 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2007-11-14 21:04:52 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
- 2007-03-09 05:01:28 472,816 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-11-14 21:04:54 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
- 2007-03-09 05:01:30 46,832 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2007-11-14 21:04:54 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
- 2007-03-09 05:01:30 100,080 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2007-11-14 21:04:54 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
- 2007-03-09 05:01:30 83,696 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2007-11-14 21:04:56 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
- 2007-03-09 05:01:32 71,408 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2007-11-14 21:04:56 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
- 2007-12-31 21:46:24 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-01-07 10:34:20 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2007-03-09 05:01:10 362,280 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-11-14 21:04:44 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 05:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
- 2006-12-19 23:13:50 61,565 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 05:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
- 2006-12-19 23:13:50 114,813 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 05:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
- 2006-12-19 23:13:50 307,323 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 05:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
- 2006-11-30 03:02:26 36,923 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-05-31 05:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 20:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 20:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 05:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 20:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 05:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
- 2007-01-11 22:31:04 274,514 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2007-09-12 02:09:16 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2007-05-31 05:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 05:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
- 2006-11-30 03:02:26 184,445 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 05:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 05:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
- 2006-12-19 23:13:52 94,313 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2007-09-12 02:09:16 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
- 2007-03-09 05:01:10 100,080 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2007-11-14 21:04:44 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
- 2007-03-09 05:01:14 128,744 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-11-14 21:04:46 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
- 2007-03-09 05:01:14 38,640 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-11-14 21:04:46 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
- 2007-03-09 05:01:14 321,280 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2007-11-14 21:04:46 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
- 2007-03-09 05:02:12 288,408 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 21:05:18 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
- 2007-03-09 05:02:12 153,240 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 21:05:18 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
- 2007-03-09 05:02:14 26,264 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 21:05:18 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
- 2007-03-09 05:02:14 1,361,560 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 21:05:18 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
- 2007-03-09 05:02:14 71,320 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 21:05:20 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
- 2007-03-09 05:04:42 30,448 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 21:06:34 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
- 2007-03-09 05:04:44 30,480 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-11-14 21:06:36 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
- 2007-01-18 10:39:16 714,472 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-10-19 01:18:38 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
- 2007-01-18 10:39:16 677,608 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-10-19 01:18:38 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
- 2007-03-09 05:01:20 173,808 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-11-14 21:04:48 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
- 2007-01-18 10:39:18 1,369,832 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-10-19 01:18:40 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
- 2007-01-18 10:39:20 50,416 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2007-10-19 01:18:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
- 2007-03-09 05:01:20 456,432 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-11-14 21:04:50 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
- 2007-03-09 05:04:44 210,696 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-14 21:06:36 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
- 2007-03-09 05:04:46 3,229,440 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2007-11-14 21:06:36 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
- 2006-10-28 08:03:16 833,520 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-10-11 21:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
- 2007-03-09 05:01:58 141,104 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-11-14 21:05:06 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
- 2007-03-09 05:01:24 108,272 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-11-14 21:04:52 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
- 2007-03-09 05:01:24 79,600 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-11-14 21:04:52 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
- 2007-03-09 05:01:58 75,568 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-11-14 21:05:06 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
- 2007-03-09 05:01:26 2,025,200 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2007-11-14 21:04:52 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
- 2007-03-09 05:01:28 1,345,264 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-11-14 21:04:54 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
- 2007-03-09 05:01:28 243,440 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-11-14 21:04:54 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
- 2007-03-09 05:01:32 177,904 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-11-14 21:04:56 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
- 2007-03-09 05:01:32 79,608 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 21:04:56 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
- 2007-03-09 05:01:34 378,608 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-11-14 21:04:58 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
- 2007-03-09 05:01:34 120,560 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2007-11-14 21:04:58 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
Re: new ComboFix log, part 2
Part II of ComboFix log:
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4695AAAF-0803-4CBF-A34D-FDAE34F2DBD2}]
C:\WINDOWS\system32\mlljk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"FIREBOX"="C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe" [ ]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 11:49 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuss]
cbxuuss.dll
R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 05:29]
S3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys []
S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]
S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 01:09]
S3 MySqlMain;MySqlMain;C:\DEVEL\MYSQL\BIN\MYSQLD MySqlMain []
S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys [2004-10-14 17:33]
S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys [2004-10-14 17:33]
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 21:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-04 10:31:27 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 06:27:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-01-08 6:28:30
ComboFix-quarantined-files.txt 2008-01-08 11:27:40
ComboFix2.txt 2008-01-07 10:21:07
ComboFix3.txt 2008-01-07 00:27:08
ComboFix4.txt 2008-01-06 12:01:14
.
2007-06-26 09:23:06 --- E O F ---