-
Hi mxmstrs
Run the combofix scan again
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Thanks peku006
-
ComboFix 08-08-14.01 - Owner 2008-08-14 18:16:52.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.674 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
/wow section - STAGE 40
The syntax of the command is incorrect.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.
2008-08-11 14:04 . 2008-08-12 18:37 <DIR> d-------- C:\WINDOWS\system32\kBin02
2008-08-11 14:04 . 2008-08-11 14:04 <DIR> d-------- C:\Temp\epr1
2008-08-11 14:04 . 2008-08-12 18:37 <DIR> d-------- C:\Temp
2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-09 13:29 . 2008-08-09 13:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-09 13:29 . 2008-08-14 18:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\FireTrust
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\BillP Studios
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
2008-08-09 13:19 . 2008-08-10 08:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteHound
2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\WINDOWS\Sun
2008-08-08 20:29 . 2008-08-08 20:29 <DIR> d-------- C:\Program Files\Java
2008-08-08 20:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-08 20:27 . 2008-08-08 20:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-07 20:40 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-07 20:40 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 20:27 . 2008-08-06 20:27 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-06 17:05 . 2008-08-06 17:05 <DIR> d-------- C:\Program Files\100% Free Hearts Toolbar
2008-08-03 11:52 . 2008-08-09 14:16 <DIR> d-------- C:\Program Files\iTunes
2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Program Files\iPod
2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 11:51 . 2008-08-09 14:14 <DIR> d-------- C:\Program Files\QuickTime
2008-08-03 11:51 . 2008-08-09 14:15 <DIR> d-------- C:\Program Files\Bonjour
2008-08-03 11:50 . 2008-08-03 11:50 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-03 11:50 . 2008-08-09 14:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-03 11:50 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-31 18:57 . 2008-07-31 18:57 <DIR> d-------- C:\Program Files\DreamQuest
2008-07-26 22:51 . 2008-07-26 22:51 0 --a------ C:\WINDOWS\system32\SigUpdRequest_1217127097.tmp
2008-07-26 21:38 . 2008-08-14 18:14 245,544 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-07-26 21:38 . 2008-08-14 18:20 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-07-26 21:36 . 2008-08-14 18:14 245,544 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-07-26 21:36 . 2007-07-11 11:39 191,672 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 132,920 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2008-07-26 21:36 . 2007-05-11 09:33 71,736 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2008-07-26 21:36 . 2007-05-11 09:33 51,256 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 37,304 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 30,648 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 22,072 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2008-07-26 21:36 . 2008-08-14 18:20 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-07-26 21:20 . 2008-07-26 21:20 261 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-07-26 21:19 . 2007-07-12 08:42 292,144 --a------ C:\WINDOWS\system32\PavSHook.dll
2008-07-26 21:19 . 2007-03-13 18:01 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll
2008-07-26 21:19 . 2007-02-08 11:53 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2008-07-26 21:19 . 2007-02-28 18:04 63,024 --a------ C:\WINDOWS\system32\pavipc.dll
2008-07-26 21:19 . 2007-03-15 19:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-07-26 21:19 . 2007-06-08 08:44 24,760 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2008-07-26 21:18 . 2008-07-26 21:18 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-07-26 21:16 . 2007-07-12 08:49 178,872 -ra------ C:\WINDOWS\system32\drivers\PavProc.sys
2008-07-26 21:16 . 2007-05-23 10:40 38,968 -ra------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-07-26 20:24 . 2008-08-14 18:02 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2008-07-26 20:14 . 2007-06-06 05:43 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-07-26 20:13 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-07-26 20:13 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-07-26 20:12 . 2003-10-22 18:23 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-07-26 20:12 . 2007-04-24 15:43 142,128 --a------ C:\WINDOWS\system32\drivers\netimflt.sys
2008-07-26 20:12 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2008-07-26 20:12 . 2001-07-30 17:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-26 20:12 . 2007-04-24 16:43 1,990 --a------ C:\WINDOWS\system32\drivers\net_m32.inf
2008-07-26 19:55 . 2008-07-26 19:55 0 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2008-07-26 19:40 . 2008-07-26 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-07-26 18:58 . 2008-07-26 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d-------- C:\Program Files\Panda Security
2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-26 17:59 . 2008-07-26 21:16 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-07-26 17:13 . 2008-08-13 00:19 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-26 17:04 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\MSBuild
2008-07-26 17:00 . 2008-07-26 17:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-26 16:59 . 2008-07-26 16:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-26 16:59 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-07-21 19:08 . 2008-07-21 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-20 08:31 . 2008-07-20 08:31 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-07-20 08:28 . 2008-07-20 08:32 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-07-20 08:28 . 2008-07-26 17:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Autodesk
2008-07-20 08:28 . 2008-07-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-20 08:27 . 2008-07-26 23:44 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-20 08:26 . 2008-07-20 08:26 <DIR> d-------- C:\Program Files\Autodesk
2008-07-20 07:48 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\Administrator.ROBANDSHE
2008-07-19 17:33 . 2008-07-20 07:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 12:06 . 2008-07-29 19:13 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-18 09:46 . 2008-07-18 09:46 <DIR> d-------- C:\Program Files\Real
2008-07-18 09:45 . 2008-07-19 16:58 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-17 09:38 . 2008-07-20 08:25 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-16 22:23 . 2008-07-16 22:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-16 22:15 . 2008-07-16 22:15 <DIR> d-------- C:\WINDOWS\EHome
2008-07-16 22:08 . 2008-04-13 20:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-07-16 21:50 . 2008-07-16 21:50 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-16 21:11 . 2008-04-13 20:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-16 21:07 . 2004-08-12 09:57 1,361 --a------ C:\WINDOWS\system32\fxscount.h
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 03:47 --------- d-----w C:\Program Files\Verizon
2008-07-27 03:45 --------- d-----w C:\Program Files\Common Files\Motive
2008-07-27 00:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-20 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 20:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 20:57 --------- d-----w C:\Program Files\NOS
2008-07-18 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-18 16:07 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Motive
2008-07-10 23:36 --------- d-----w C:\Program Files\GVC Modem User Guide
2008-07-09 22:40 --------- d-----w C:\Program Files\Intel
2008-07-09 22:22 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-09 22:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-06 15:55 --------- d-----w C:\Program Files\Motive
2008-07-05 22:12 --------- d-----w C:\Program Files\Common Files\Authentium
2008-07-04 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 23:02 --------- d-----w C:\Program Files\Lavasoft
2008-07-04 23:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-04 15:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-02 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-07-02 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-06-28 12:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 12:58 333120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 16:18:22 10872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 09:33]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 09:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 09:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 11:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 09:33]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 10:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 09:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 09:33]
R2 CPoint;Panda CPoint Driver.;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 08:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 08:49]
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 15:43]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7871d40-65c2-11dd-8e27-001111437762}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
2008-08-11 C:\WINDOWS\Tasks\Basic clean-up.job
- C:\Program Files\Panda Security\Panda Internet Security 2008\PlaTasks.exe [2007-07-17 15:13]
2008-07-18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wlxtuf1c.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://finance.yahoo.com/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 18:20:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrlS.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PAVFNSVR.EXE
C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PAVSRV51.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\FIREWALL\PSHost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SrvLoad.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
.
**************************************************************************
.
Completion time: 2008-08-14 18:23:23 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-14 22:23:19
ComboFix2.txt 2008-08-12 22:47:17
Pre-Run: 71,761,117,184 bytes free
Post-Run: 71,722,278,912 bytes free
228 --- E O F --- 2008-08-14 22:00:15
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:22 PM, on 8/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\ApvxdWin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
--
End of file - 5836 bytes
-
Hi mxmstrs
1 - Run CFScript
Open Notepad and copy/paste the text in the box into the window:
Code:
Folder::
C:\WINDOWS\system32\kBin02
C:\Temp
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v6...FScriptB-4.gif
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2- Status Check
Please reply with
1. the ComboFix log
2 a fresh HijackThis log
Thanks peku006
-
ComboFix 08-08-14.01 - Owner 2008-08-15 16:51:56.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.678 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
/wow section - STAGE 40
The syntax of the command is incorrect.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp
C:\WINDOWS\system32\kBin02
.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.
2008-08-15 16:47 . 2008-08-15 16:47 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-09 13:29 . 2008-08-09 13:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-09 13:29 . 2008-08-14 18:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\FireTrust
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\BillP Studios
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
2008-08-09 13:19 . 2008-08-10 08:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteHound
2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\WINDOWS\Sun
2008-08-08 20:29 . 2008-08-08 20:29 <DIR> d-------- C:\Program Files\Java
2008-08-08 20:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-08 20:27 . 2008-08-08 20:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-07 20:40 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-07 20:40 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 20:27 . 2008-08-06 20:27 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-06 17:05 . 2008-08-06 17:05 <DIR> d-------- C:\Program Files\100% Free Hearts Toolbar
2008-08-03 11:52 . 2008-08-09 14:16 <DIR> d-------- C:\Program Files\iTunes
2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Program Files\iPod
2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 11:51 . 2008-08-09 14:14 <DIR> d-------- C:\Program Files\QuickTime
2008-08-03 11:51 . 2008-08-09 14:15 <DIR> d-------- C:\Program Files\Bonjour
2008-08-03 11:50 . 2008-08-03 11:50 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-03 11:50 . 2008-08-09 14:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-03 11:50 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-31 18:57 . 2008-07-31 18:57 <DIR> d-------- C:\Program Files\DreamQuest
2008-07-26 22:51 . 2008-07-26 22:51 0 --a------ C:\WINDOWS\system32\SigUpdRequest_1217127097.tmp
2008-07-26 21:38 . 2008-08-15 16:50 245,544 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-07-26 21:38 . 2008-08-15 16:50 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-07-26 21:36 . 2008-08-15 16:50 245,544 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-07-26 21:36 . 2007-07-11 11:39 191,672 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 132,920 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2008-07-26 21:36 . 2007-05-11 09:33 71,736 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2008-07-26 21:36 . 2007-05-11 09:33 51,256 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 37,304 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 30,648 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 22,072 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2008-07-26 21:36 . 2008-08-15 16:50 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-07-26 21:20 . 2008-07-26 21:20 261 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-07-26 21:19 . 2007-07-12 08:42 292,144 --a------ C:\WINDOWS\system32\PavSHook.dll
2008-07-26 21:19 . 2007-03-13 18:01 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll
2008-07-26 21:19 . 2007-02-08 11:53 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2008-07-26 21:19 . 2007-02-28 18:04 63,024 --a------ C:\WINDOWS\system32\pavipc.dll
2008-07-26 21:19 . 2007-03-15 19:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-07-26 21:19 . 2007-06-08 08:44 24,760 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2008-07-26 21:18 . 2008-07-26 21:18 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-07-26 21:16 . 2007-07-12 08:49 178,872 -ra------ C:\WINDOWS\system32\drivers\PavProc.sys
2008-07-26 21:16 . 2007-05-23 10:40 38,968 -ra------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-07-26 20:24 . 2008-08-14 18:02 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2008-07-26 20:14 . 2007-06-06 05:43 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-07-26 20:13 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-07-26 20:13 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-07-26 20:12 . 2003-10-22 18:23 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-07-26 20:12 . 2007-04-24 15:43 142,128 --a------ C:\WINDOWS\system32\drivers\netimflt.sys
2008-07-26 20:12 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2008-07-26 20:12 . 2001-07-30 17:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-26 20:12 . 2007-04-24 16:43 1,990 --a------ C:\WINDOWS\system32\drivers\net_m32.inf
2008-07-26 19:55 . 2008-07-26 19:55 0 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2008-07-26 19:40 . 2008-07-26 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-07-26 18:58 . 2008-07-26 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d-------- C:\Program Files\Panda Security
2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-26 17:59 . 2008-07-26 21:16 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-07-26 17:13 . 2008-08-13 00:19 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-26 17:04 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\MSBuild
2008-07-26 17:00 . 2008-07-26 17:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-26 16:59 . 2008-07-26 16:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-26 16:59 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-07-21 19:08 . 2008-07-21 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-20 08:31 . 2008-07-20 08:31 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-07-20 08:28 . 2008-07-20 08:32 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-07-20 08:28 . 2008-07-26 17:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Autodesk
2008-07-20 08:28 . 2008-07-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-20 08:27 . 2008-07-26 23:44 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-20 08:26 . 2008-07-20 08:26 <DIR> d-------- C:\Program Files\Autodesk
2008-07-20 07:48 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\Administrator.ROBANDSHE
2008-07-19 17:33 . 2008-07-20 07:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 12:06 . 2008-07-29 19:13 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-18 09:46 . 2008-07-18 09:46 <DIR> d-------- C:\Program Files\Real
2008-07-18 09:45 . 2008-07-19 16:58 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-17 09:38 . 2008-07-20 08:25 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-16 22:23 . 2008-07-16 22:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-16 22:15 . 2008-07-16 22:15 <DIR> d-------- C:\WINDOWS\EHome
2008-07-16 22:08 . 2008-04-13 20:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-07-16 21:50 . 2008-07-16 21:50 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-16 21:11 . 2008-04-13 20:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-16 21:07 . 2004-08-12 09:57 1,361 --a------ C:\WINDOWS\system32\fxscount.h
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 03:47 --------- d-----w C:\Program Files\Verizon
2008-07-27 03:45 --------- d-----w C:\Program Files\Common Files\Motive
2008-07-27 00:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-20 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 20:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 20:57 --------- d-----w C:\Program Files\NOS
2008-07-18 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-18 16:07 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Motive
2008-07-10 23:36 --------- d-----w C:\Program Files\GVC Modem User Guide
2008-07-09 22:40 --------- d-----w C:\Program Files\Intel
2008-07-09 22:22 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-09 22:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-06 23:55 1,695,502 --sha-w C:\WINDOWS\system32\ystlesgv.tmp
2008-07-06 15:55 --------- d-----w C:\Program Files\Motive
2008-07-05 22:12 --------- d-----w C:\Program Files\Common Files\Authentium
2008-07-04 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 23:02 --------- d-----w C:\Program Files\Lavasoft
2008-07-04 23:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-04 15:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-02 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-07-02 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-06-28 14:17 155,995 ----a-w C:\WINDOWS\java\Packages\9RHJBLVB.ZIP
2008-06-28 12:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 12:58 333120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 16:18:22 10872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 09:33]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 09:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 09:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 11:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 09:33]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 10:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 09:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 09:33]
R2 CPoint;Panda CPoint Driver.;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 08:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 08:49]
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 15:43]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7871d40-65c2-11dd-8e27-001111437762}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-08-11 C:\WINDOWS\Tasks\Basic clean-up.job
- C:\Program Files\Panda Security\Panda Internet Security 2008\PlaTasks.exe [2007-07-17 15:13]
2008-07-18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 16:53:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-15 16:54:24
ComboFix-quarantined-files.txt 2008-08-15 20:54:14
ComboFix2.txt 2008-08-14 22:23:24
ComboFix3.txt 2008-08-12 22:47:17
Pre-Run: 71,685,259,264 bytes free
Post-Run: 71,674,015,744 bytes free
214 --- E O F --- 2008-08-15 00:48:03
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:52 PM, on 8/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
--
End of file - 5836 bytes
-
Hi mxmstrs
Things are looking good. Do you still notice any problems with your computer?
peku006
-
I get no occurance of virtumonde when scanning with Spybot.
But I do get a recurring WinPatrol File Type Change Alert that states as follows.
"Scotty the windows watchdog is on patrol and has detected a change to one of your file type associations. .SCR
The program currently associated with this file type is
Name
Company Name
%1 %*
A change was made to use the following program for this file type
Name
Company name
%1 /S
Is this change ok?"
I don't know what this all means so I always answer NO.
-
By the way, I will be away from my computer all of this coming week and won't be able to reply during that time. I will reply when I return. Thanks for your help.
-
-
I am absolutely with you. lately nothing malicious has been popping up. my recent spybot scans are clean except for an occasional minor tracking cookie. Peku006 has been invaluable in getting rid of virtumonde. My computer has never worked better.
-
Hi mxmstrs
"My computer has never worked better." :yahoo:
The SCR file extension represents a Windows screensaver, have you tried change your ScreenSaver ?
regards
peku006