ComboFix 09-05-08.03 - Netterville 09/05/2009 11:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.893 [GMT -6:00]
Running from: c:\documents and settings\Netterville\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Netterville\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Netterville\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\Netterville\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Netterville\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\ak1.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\dadataso.exe
c:\windows\system32\drivers\ovfsthcmigebdhjbqtsmbmcuduueafesytsevo.sys
c:\windows\system32\ovfsthacqbuognppvxyvkwpuasxrqihnkmdyww.dll
c:\windows\system32\ovfsthacqbuognppvxyvkwpuasxrqihnkmdyww.dll_old
c:\windows\system32\ovfsthflueiuufvorwjifmwinlsqftlkddgfnj.dll
c:\windows\system32\ovfsthsexwkqbcjmdbhgiymaxeobciqdqoiror.dat
c:\windows\system32\ovfsthstthmpivbnhtkhxwwnvhteryelcewhej.dat
c:\windows\system32\ovfsthvsccjcugdwwysfimnuajwtccsdcyscec.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\winglsetup.exe
c:\windows\Temp\1887832358.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_ovfsthxsavhvotwixlkaggbykqqyclmdniustp
((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.
2009-05-09 02:21 . 2009-05-09 02:21 -------- d-----w c:\program files\Trend Micro
2009-05-06 13:31 . 2009-05-08 08:07 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-06 13:00 . 2009-03-11 04:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-06 13:00 . 2009-05-06 13:00 -------- d-----w c:\windows\system32\KB905474
2009-05-06 13:00 . 2009-03-11 04:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-06 04:15 . 2009-05-06 04:15 23040 ----a-w c:\windows\system32\loader49.exe
2009-05-06 03:36 . 2009-05-06 03:36 -------- d-----w c:\documents and settings\Netterville\Application Data\ptidle
2009-04-29 21:19 . 2009-04-29 21:19 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-04-29 06:08 . 2009-04-29 06:08 -------- d-----w c:\program files\Steinberg
2009-04-29 06:07 . 2009-04-29 06:07 -------- d-----w c:\program files\Peavey Electronics
2009-04-29 06:07 . 2009-04-29 06:29 -------- d-----w c:\documents and settings\Netterville\Application Data\REAPER
2009-04-29 06:07 . 2009-04-29 06:30 -------- d-----w c:\program files\REAPER
2009-04-22 08:01 . 2009-04-22 08:01 74824 ----a-w c:\documents and settings\Netterville\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 13:10 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 13:10 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 13:10 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 13:10 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 13:10 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 13:10 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 13:10 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 13:10 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 13:10 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 13:07 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 13:07 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 04:13 . 2007-04-19 18:37 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-21 06:03 . 2008-07-08 01:09 72387 ----a-w c:\windows\War3Unin.dat
2009-03-21 05:20 . 2006-12-28 03:27 74824 ----a-w c:\documents and settings\Netterville\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-17 01:58 . 2007-12-13 18:32 -------- d-----w c:\program files\Google
2009-03-16 04:23 . 2008-01-12 04:13 -------- d-----w c:\program files\Winamp
2009-03-14 20:04 . 2009-03-14 20:04 -------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-03-14 20:04 . 2009-03-14 20:04 -------- d-----w c:\program files\Common Files\Intuit
2009-03-06 14:22 . 2004-08-04 07:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 07:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 09:57 . 2007-07-22 03:31 138584 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-28 09:57 . 2007-07-22 03:31 189672 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-27 05:40 . 2007-07-22 03:30 70968 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 07:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 07:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-04 07:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 07:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-04 06:17 1846784 ----a-w c:\windows\system32\win32k.sys
2007-11-04 03:22 . 2007-10-20 18:02 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"igndlm.exe"="e:\programs\IGN Download Manager\Download Manager\DLM.exe" [2007-03-05 1103480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-30 4891984]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-4-9 692224]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nokia Nseries PC Suite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Nokia Nseries PC Suite.lnk
backup=c:\windows\pss\Nokia Nseries PC Suite.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Programs\\World of Warcraft\\BackgroundDownloader.exe"=
"e:\\Programs\\Halo\\halo.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Programs\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"e:\\Programs\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"e:\\Programs\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"e:\\Programs\\Halo - Custom Edition\\haloce.exe"=
"e:\\Programs\\Xfire\\xfire.exe"=
"e:\\Programs\\Steam\\SteamApps\\popamunts\\counter-strike source\\hl2.exe"=
"e:\\Programs\\Gunz\\Gunz.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Programs\\Trillian\\trillian.exe"=
"e:\\Programs\\BattleField\\BF2142.exe"=
"e:\\Programs\\Command & Conquer 3 - Tiberium Wars\\RetailExe\\1.0\\cnc3game.dat"=
"e:\\Programs\\Command & Conquer 3 - Tiberium Wars\\RetailExe\\1.6\\cnc3game.dat"=
"e:\\Programs\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Programs\\Steam\\Steam.exe"=
"e:\\Programs\\Steam\\steam\\games\\portal.ico"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"e:\\Programs\\Azureus\\Azureus.exe"=
"e:\\Programs\\Crysis\\Bin32\\Crysis.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\HydraIRC\\HydraIRC.exe"=
"p:\\Gears Of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"e:\\Programs\\TmNationsForever\\TmForever.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"p:\\Program Files\\Veoh\\VeohClient.exe"=
"e:\\Programs\\Warcraft III\\Warcraft III.exe"=
"e:\\Programs\\Call of Duty 4\\iw3mp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Programs\\Warcraft III\\war3.exe"=
"e:\\Programs\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Programs\\Steam\\steamapps\\popamunts\\garrysmod\\hl2.exe"=
"e:\\Programs\\Steam\\steamapps\\chaser1337\\counter-strike source\\hl2.exe"=
"e:\\Programs\\Steam\\steamapps\\chaser1337\\source sdk base 2007\\hl2.exe"=
"e:\\Programs\\World of Warcraft\\Launcher.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader Port 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader Port 6112
"58788:TCP"= 58788:TCP:Pando P2P TCP Listening Port
"58788:UDP"= 58788:UDP:Pando P2P UDP Listening Port
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [29/01/2009 10:03 PM 2749736]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [29/01/2009 10:03 PM 15656]
S2 gupdate1c9a6a3781a67aa;Google Update Service (gupdate1c9a6a3781a67aa);c:\program files\Google\Update\GoogleUpdate.exe [16/03/2009 7:55 PM 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [02/08/2005 3:10 PM 32512]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [25/01/2008 3:12 AM 25088]
S3 XDva009;XDva009;\??\c:\windows\system32\XDva009.sys --> c:\windows\system32\XDva009.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6db73110-7c12-11dc-aee4-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe /autorun
\Shell\directx\command - d:\directx\dxsetup.exe
\Shell\setup\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
2008-11-02 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4217539597.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 23:56]
2009-05-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-17 01:55]
2009-05-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 04:18]
.
- - - - ORPHANS REMOVED - - - -
BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
HKCU-Run-Google Update - c:\documents and settings\Netterville\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
Notify-__c0026DDA - (no file)
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Netterville\Application Data\Mozilla\Firefox\Profiles\wnapstea.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.kevinandkell.com/
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: e:\programs\IGN Download Manager\Download Manager\npfpdlm.dll
FF - plugin: e:\programs\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: e:\programs\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: p:\program files\Veoh\Plugins\noreg\NPVeohVersion.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-05-09 11:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1644491937-1637723038-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:89,76,f9,e9,03,89,f6,82,ce,7f,7e,63,ac,9e,d0,41,45,0f,46,96,75,4c,5c,
fd,4c,f9,12,89,65,d9,c9,9f,91,ba,cb,be,0c,9b,d4,8f,29,3b,f5,94,bd,6a,b9,e6,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2496)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\Bonjour\mDNSResponder.exe
e:\programs\Mabinogi\npkcmsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2009-05-09 11:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-09 17:38
Pre-Run: 13,747,253,248 bytes free
Post-Run: 13,680,046,080 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
267 --- E O F --- 2009-05-06 13:00