S&D, HJT, TrendMicro AV, RootkitBuster all abort and then are blocked from re-running

[Blade81]

Hi,

Is your system media center edition or some other (to check, right click "my computer")? Please post contents of your c:\boot.ini file.

 

[JeffeVerde]

Per MyCompoter>Properties, it's Media Center

BOOT.INI-

[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows XP Media Center Edition" /noexecute=optin /fastdetect

 

[Blade81]

Hi,

Kindly replace current c:\boot.ini contents with this:

[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Reboot and you should get to Windows without that bootup menu screen. When that's done, get fresh copy of ComboFix and after that drag WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe file to it. Post back ComboFix resultant log.

 

[JeffeVerde]

ComboFix 09-08-10.06 - Owner 08/11/2009 23:49.10.1 - NTFSx86
Running from: c:\cfix\ComboFix.exe
Command switches used :: c:\cfix\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe.bad
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-12 06:48 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-02 07:35 . 2009-08-03 23:51 -------- d-----w- C:\SDfix
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
2009-07-13 19:16 . 2009-07-13 20:39 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 19:16 . 2009-07-13 20:39 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 19:16 . 2009-07-13 20:39 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 20:41 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 18:43 . 2009-08-11 15:29 -------- d-----w- c:\program files\Diablo II
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 05:05 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-11 19:39 . 2009-03-20 02:31 145920 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-11 20:32 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 06:07 . 2009-02-06 02:39 -------- d-----w- c:\program files\Safari
2009-06-14 06:03 . 2009-06-14 06:03 -------- d-----w- c:\program files\iPod
2009-06-14 06:03 . 2008-11-07 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 06:00 . 2009-06-14 06:00 -------- d-----w- c:\program files\QuickTime
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 18:55 . 2009-06-13 18:55 -------- d-----w- c:\program files\Virtual Magnifying Glass
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-10_19.11.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-12 06:44 . 2009-08-12 06:44 16384 c:\windows\temp\Perflib_Perfdata_458.dat
+ 2009-08-11 06:49 . 2009-08-11 06:49 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-08-11 06:43 . 2009-08-11 06:43 20480 c:\windows\Installer\64295.msi
+ 2009-08-11 06:42 . 2009-08-11 06:42 26624 c:\windows\Installer\6428f.msi
+ 2009-08-11 06:14 . 2009-08-11 06:14 57344 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 149280 c:\windows\system32\javaws.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\javaw.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\java.exe
+ 2009-08-11 06:14 . 2009-08-11 06:14 696320 c:\windows\ERDNT\subs\Users\00000007\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 245760 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:54 . 2009-08-11 06:54 1757696 c:\windows\Installer\6429f.msi
+ 2009-08-11 06:44 . 2009-08-11 06:44 3938816 c:\windows\Installer\6429b.msi
+ 2009-08-11 06:14 . 2009-08-11 06:14 4173824 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 clr_optimization_v2.0.50727_32Messenger;.NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32Messenger;ð%€|x
srv [x]
R2 COMSysAppCOMSysApp;COM+ System Application COMSysAppCOMSysApp;ð%€|x
srv [x]
R2 EventSystemNtmsSvc;COM+ Event System EventSystemNtmsSvc;ð%€|x
srv [x]
R2 IDriverTRasAuto;InstallDriver Table Manager IDriverTRasAuto;ð%€|x
srv [x]
R2 IDriverTRemoteRegistry;InstallDriver Table Manager IDriverTRemoteRegistry;ð%€|x
srv [x]
R2 Messengertmproxy;Messenger Messengertmproxy;ð%€|x
srv [x]
R2 NetDDETermService;Network DDE NetDDETermService;ð%€|x
srv [x]
R2 RasManBrowser;Remote Access Connection Manager RasManBrowser;ð%€|x
srv [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R2 tmproxyS24EventMonitor;Trend Micro Proxy Service tmproxyS24EventMonitor;ð%€|x
srv [x]
R2 UPSupnphost;Uninterruptible Power Supply UPSupnphost;ð%€|x
srv [x]
R2 UPSupnphostSharedAccess;Uninterruptible Power Supply UPSupnphost UPSupnphostSharedAccess;ð%€|x
srv [x]
R2 wuauservTermService;Automatic Updates wuauservTermService;ð%€|x
srv [x]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]

.
Contents of the 'Scheduled Tasks' folder

2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2009-08-11 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 23:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32Messenger]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysAppCOMSysApp]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystemNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRasAuto]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRemoteRegistry]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messengertmproxy]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDETermService]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasManBrowser]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmproxyS24EventMonitor]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphost]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphostSharedAccess]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauservTermService]
"ImagePath"="ð%€|x\01\09 srv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2836)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-12 23:56
ComboFix-quarantined-files.txt 2009-08-12 06:56
ComboFix2.txt 2009-08-10 19:16

Pre-Run: 60,878,532,608 bytes free
Post-Run: 60,883,005,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe.bad
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

296 --- E O F --- 2009-08-02 22:01

 

[JeffeVerde]

I ran ComboFix with the RC install file, but still no RC. And I'm not able to delete the \cmdcons folder to uninstall RC. I get a message that files are in use.

 

[Blade81]

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe.bad

Take of that bolded part of file name. Then try drag 'n' drop again. If it still doesn't install, run ComboFix normally and let it install RC if asked for permission.

 

[JeffeVerde]

Doh! I forgot I'd done that when I was trying to uninstall RC, to make sure something wasn't running it.

Dropped the .bad, ran CF with it, but still no RC. Also, I still can't delete the \cmdcons folder. I searched the registry and can't find any reference to that path

==================================

ComboFix 09-08-10.06 - Owner 08/12/2009 10:49.11.1 - NTFSx86
Running from: c:\cfix\ComboFix.exe
Command switches used :: c:\cfix\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-12 17:46 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-02 07:35 . 2009-08-03 23:51 -------- d-----w- C:\SDfix
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
2009-07-13 19:16 . 2009-07-13 20:39 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 19:16 . 2009-07-13 20:39 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 19:16 . 2009-07-13 20:39 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 20:41 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 18:43 . 2009-08-11 15:29 -------- d-----w- c:\program files\Diablo II

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 05:05 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-11 20:32 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 06:07 . 2009-02-06 02:39 -------- d-----w- c:\program files\Safari
2009-06-14 06:03 . 2009-06-14 06:03 -------- d-----w- c:\program files\iPod
2009-06-14 06:03 . 2008-11-07 21:40 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 06:00 . 2009-06-14 06:00 -------- d-----w- c:\program files\QuickTime
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 18:55 . 2009-06-13 18:55 -------- d-----w- c:\program files\Virtual Magnifying Glass
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-10_19.11.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-12 07:23 . 2009-08-12 07:23 16384 c:\windows\temp\Perflib_Perfdata_45c.dat
+ 2009-08-11 06:49 . 2009-08-11 06:49 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-08-11 06:43 . 2009-08-11 06:43 20480 c:\windows\Installer\64295.msi
+ 2009-08-11 06:42 . 2009-08-11 06:42 26624 c:\windows\Installer\6428f.msi
+ 2009-08-11 06:14 . 2009-08-11 06:14 57344 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-11 06:14 . 2009-08-11 06:14 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 149280 c:\windows\system32\javaws.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\javaw.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\java.exe
+ 2009-08-11 06:14 . 2009-08-11 06:14 696320 c:\windows\ERDNT\subs\Users\00000007\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 245760 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:14 . 2009-08-11 06:14 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:54 . 2009-08-11 06:54 1757696 c:\windows\Installer\6429f.msi
+ 2009-08-11 06:44 . 2009-08-11 06:44 3938816 c:\windows\Installer\6429b.msi
+ 2009-08-11 06:14 . 2009-08-11 06:14 4173824 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 clr_optimization_v2.0.50727_32Messenger;.NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32Messenger;ð%€|x
srv [x]
R2 COMSysAppCOMSysApp;COM+ System Application COMSysAppCOMSysApp;ð%€|x
srv [x]
R2 EventSystemNtmsSvc;COM+ Event System EventSystemNtmsSvc;ð%€|x
srv [x]
R2 IDriverTRasAuto;InstallDriver Table Manager IDriverTRasAuto;ð%€|x
srv [x]
R2 IDriverTRemoteRegistry;InstallDriver Table Manager IDriverTRemoteRegistry;ð%€|x
srv [x]
R2 Messengertmproxy;Messenger Messengertmproxy;ð%€|x
srv [x]
R2 NetDDETermService;Network DDE NetDDETermService;ð%€|x
srv [x]
R2 RasManBrowser;Remote Access Connection Manager RasManBrowser;ð%€|x
srv [x]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
R2 tmproxyS24EventMonitor;Trend Micro Proxy Service tmproxyS24EventMonitor;ð%€|x
srv [x]
R2 UPSupnphost;Uninterruptible Power Supply UPSupnphost;ð%€|x
srv [x]
R2 UPSupnphostSharedAccess;Uninterruptible Power Supply UPSupnphost UPSupnphostSharedAccess;ð%€|x
srv [x]
R2 wuauservTermService;Automatic Updates wuauservTermService;ð%€|x
srv [x]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]

.
Contents of the 'Scheduled Tasks' folder

2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2009-08-12 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 10:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32Messenger]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysAppCOMSysApp]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystemNtmsSvc]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRasAuto]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverTRemoteRegistry]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messengertmproxy]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDETermService]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasManBrowser]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmproxyS24EventMonitor]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphost]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSupnphostSharedAccess]
"ImagePath"="ð%€|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauservTermService]
"ImagePath"="ð%€|x\01\09 srv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(3952)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-12 10:56
ComboFix-quarantined-files.txt 2009-08-12 17:56
ComboFix2.txt 2009-08-12 06:56
ComboFix3.txt 2009-08-10 19:16

Pre-Run: 60,833,611,776 bytes free
Post-Run: 60,792,598,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

298 --- E O F --- 2009-08-02 22:01

 

[JeffeVerde]

Forum schedule?

What are your "forum hours"? With our time difference (I'm GMT -8), I'm not sure when to look for your posts, and I hate to lose half a day like last night (your yesterday?), because I didn't know it was your "in" time.

Thank you again for all time and effort

 

[Blade81]

Hi,

Finland is on GMT +2 timezone.

Also, I still can't delete the \cmdcons folder.

Let that folder be. I didn't remember to say that in my previous post.


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
clr_optimization_v2.0.50727_32Messenger
COMSysAppCOMSysApp
EventSystemNtmsSvc
IDriverTRasAuto
IDriverTRemoteRegistry
Messengertmproxy
NetDDETermService
RasManBrowser
tmproxyS24EventMonitor
UPSupnphost
UPSupnphostSharedAccess
wuauservTermService

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Let ComboFix update itself and also install recovery console if it asks for permission to do so.
Then post the resultant log & a fresh dds.txt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[JeffeVerde]

Let that folder be. I didn't remember to say that in my previous post.

Yesterday you posted-

...Seems that of some reason recovery console (RC) for home edition got installed while media center edition needs same RC as pro edition.

You tried earlier to run ComboFix with WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe. Do you still have the file available? If you do, please see here under "Removing the Recovery Console" -part to uninstall present RC and then run ComboFix with correct RC file. When done, post ComboFix log back here.

The uninstall instructions you linked to directed me to delete c:\cmldrs. and the c:\cmdcons folder

 

[Blade81]

And I said "I didn't remember to say that in my previous post.". That means I didn't remember to say that skip over that folder deleting if it fails. Sorry for not telling this clearly enough.

 

[JeffeVerde]

ComboFix with latest script

ComboFix 09-08-10.06 - Owner 08/12/2009 23:06.12.1 - NTFSx86
Running from: c:\cfix\ComboFix.exe
Command switches used :: c:\cfix\CFscript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLR_OPTIMIZATION_V2.0.50727_32MESSENGER
-------\Legacy_COMSYSAPPCOMSYSAPP
-------\Legacy_EVENTSYSTEMNTMSSVC
-------\Legacy_IDRIVERTRASAUTO
-------\Legacy_IDRIVERTREMOTEREGISTRY
-------\Legacy_MESSENGERTMPROXY
-------\Legacy_NETDDETERMSERVICE
-------\Legacy_RASMANBROWSER
-------\Legacy_TMPROXYS24EVENTMONITOR
-------\Legacy_UPSUPNPHOST
-------\Legacy_UPSUPNPHOSTSHAREDACCESS
-------\Legacy_WUAUSERVTERMSERVICE
-------\Service_clr_optimization_v2.0.50727_32Messenger
-------\Service_COMSysAppCOMSysApp
-------\Service_EventSystemNtmsSvc
-------\Service_IDriverTRasAuto
-------\Service_IDriverTRemoteRegistry
-------\Service_Messengertmproxy
-------\Service_NetDDETermService
-------\Service_RasManBrowser
-------\Service_tmproxyS24EventMonitor
-------\Service_UPSupnphost
-------\Service_UPSupnphostSharedAccess
-------\Service_wuauservTermService


((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-13 06:06 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-02 07:35 . 2009-08-03 23:51 -------- d-----w- C:\SDfix
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 20:03 . 2009-07-13 18:43 -------- d-----w- c:\program files\Diablo II
2009-08-12 05:05 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 20:41 . 2009-07-13 18:55 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 20:39 . 2009-07-13 19:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 20:39 . 2009-07-13 19:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 20:39 . 2009-07-13 19:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-11 20:32 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-10_19.11.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-11 06:49 . 2009-08-11 06:49 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-08-11 06:43 . 2009-08-11 06:43 20480 c:\windows\Installer\64295.msi
+ 2009-08-11 06:42 . 2009-08-11 06:42 26624 c:\windows\Installer\6428f.msi
+ 2009-08-13 06:10 . 2009-08-13 06:10 57344 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-13 06:10 . 2009-08-13 06:10 8192 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-13 06:10 . 2009-08-13 06:10 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 149280 c:\windows\system32\javaws.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\javaw.exe
+ 2009-08-11 06:54 . 2009-08-11 06:54 145184 c:\windows\system32\java.exe
+ 2009-08-13 06:10 . 2009-08-13 06:10 696320 c:\windows\ERDNT\subs\Users\00000007\NTUSER.DAT
+ 2009-08-13 06:10 . 2009-08-13 06:10 241664 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-13 06:10 . 2009-08-13 06:10 249856 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 19:09 . 2009-08-10 19:09 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-13 06:10 . 2009-08-13 06:10 241664 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-11 06:54 . 2009-08-11 06:54 1757696 c:\windows\Installer\6429f.msi
+ 2009-08-11 06:44 . 2009-08-11 06:44 3938816 c:\windows\Installer\6429b.msi
+ 2009-08-13 06:10 . 2009-08-13 06:10 4173824 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]

.
Contents of the 'Scheduled Tasks' folder

2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2009-08-12 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 23:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1692)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\wdfmgr.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-08-13 23:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 06:16
ComboFix2.txt 2009-08-12 17:56
ComboFix3.txt 2009-08-12 06:56
ComboFix4.txt 2009-08-10 19:16

Pre-Run: 60,768,055,296 bytes free
Post-Run: 60,740,837,376 bytes free

304 --- E O F --- 2009-08-02 22:01

 

[JeffeVerde]

Disabling TrendMicro

FYI -- It looks like part of the CFscript you had me run was intended to disable TrendMicro. TrendMicro 2009 includes a seperate utility called TISTOOL that can be used to start/stop all components of TrendMicro.

 

[Blade81]

Hi,

Those TM related values mean if Windows will notify you when TM firewall or av program is disabled. If those values are present and set then you won't get notification. Normally those values are not needed. Remember that I'm not giving instructions to make system weaker

Post a fresh dds.txt log and let me know how's the system running, please.

 

[JeffeVerde]

Remember that I'm not giving instructions to make system weaker

Of course. I was just passing on an easy way to enable/disable TrendMicro while running other tools.

Here's the latest DDS-
p.s. should I be including ATTACH.TXT, or do you just need the DDS log?

=====================================

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 12:12:10.65 on Thu 08/13/2009
Internet Explorer: 7.0.5730.13
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\owner.your-25a3bd3417\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: weather.gov\radar
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://www.tmremote.com/sdccommon/download/tgctlcm.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-12 10:48 <DIR> --d----- C:\cmdcons
2009-08-11 00:04 <DIR> --d----- c:\program files\ESET
2009-08-10 23:54 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-10 09:49 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\Malwarebytes
2009-08-10 09:49 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 09:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-10 09:49 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-10 09:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 01:21 <DIR> --d----- C:\CFIx
2009-08-06 14:37 <DIR> --ds---- C:\test
2009-08-06 12:42 0 a------- C:\settings.dat
2009-08-06 12:42 1,055,676 a------- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 12:33 <DIR> --d----- C:\Autoruns
2009-08-06 12:33 576,280 a------- C:\Autoruns.zip
2009-08-06 12:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-06 12:15 <DIR> --d----- c:\windows\system32\Service
2009-08-06 12:06 216,064 a------- c:\windows\PEV.exe
2009-08-06 12:06 161,792 a------- c:\windows\SWREG.exe
2009-08-06 12:06 98,816 a------- c:\windows\sed.exe
2009-08-06 11:10 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\SupportSoft
2009-08-06 11:07 <DIR> --d----- c:\program files\tmRemoteProdPID
2009-08-06 11:07 <DIR> --d----- c:\program files\common files\supportsoft
2009-08-05 11:52 <DIR> --d----- C:\Pesticide
2009-08-03 17:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-03 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-02 02:15 <DIR> --d----- c:\documents and settings\owner.your-25a3bd3417\.housecall6.6
2009-08-02 00:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-02 00:49 <DIR> --d----- c:\windows\ERUNT
2009-08-02 00:35 <DIR> --d----- C:\SDfix
2009-08-01 15:28 153,104 a------- c:\windows\system32\tmcomm.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmevtmgr.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmactmon.sys
2009-08-01 15:10 <DIR> --d----- c:\documents and settings\owner.your-25a3bd3417\log
2009-08-01 11:59 <DIR> --d----- c:\windows\LocalSSL
2009-07-25 12:10 <DIR> --d----- c:\docume~1\owner~1.you\applic~1\GetRightToGo
2009-07-24 23:51 <DIR> --d----- c:\program files\Hero Editor
2009-07-24 23:51 249,856 -------- c:\windows\Setup1.exe
2009-07-24 23:51 73,216 a------- c:\windows\ST6UNST.EXE
2009-07-24 21:55 <DIR> --d----- c:\program files\Shared
2009-07-20 10:41 <DIR> --d----- c:\program files\DoylesRoom

==================== Find3M ====================

2009-08-10 23:54 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-13 13:41 35,715 a------- c:\windows\DIIUnin.dat
2009-07-13 13:39 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-13 13:39 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-13 13:39 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-13 11:55 94,208 a------- c:\windows\DIIUnin.exe
2009-07-13 11:55 2,829 a------- c:\windows\DIIUnin.pif
2009-07-10 09:05 12,692 a------- c:\windows\W3DemoUnin.dat
2009-07-10 09:04 126,976 a------- c:\windows\W3DemoUnin.exe
2009-07-10 09:04 2,829 a------- c:\windows\W3DemoUnin.pif
2009-07-05 17:29 102,400 a------- c:\windows\DIIDUnin.exe
2009-07-05 17:29 19,143 a------- c:\windows\DIIDUnin.dat
2009-07-05 17:29 2,829 a------- c:\windows\DIIDUnin.pif
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-11-30 21:26 34,472 a------- c:\docume~1\owner~1.you\applic~1\GDIPFONTCACHEV1.DAT
2008-03-05 11:18 0 a------- c:\docume~1\owner~1.you\applic~1\wklnhst.dat

============= FINISH: 12:12:27.29 ===============

 

[JeffeVerde]

. . . and let me know how's the system running, please.

Except for not being able to succesfully install Recovery Console (which isn't affecting the system use - just odd), everything seems to be fine. No mystery windows or unidentified processes trying to "phone home" :

 

[Blade81]

Yes, that recovery console thing is a bit mysterious. Could you download a fresh copy of ComboFix and then run it to see if it asks permission to install RC (let it install if asked)?

 

[JeffeVerde]

Yes, that recovery console thing is a bit mysterious. Could you download a fresh copy of ComboFix and then run it to see if it asks permission to install RC (let it install if asked)?

Just to clarify -- every time I run CF (without using the RC installer to launch it), it warns that RC is not installed and prompts me to let CF install it. If let CF download/install RC, it goes through the process, reports that RC was successfully installed, and continues on with it's scan.

I'll try it again with a fresh copy of CF.

 

[Blade81]

Ok. Let me know how it goes.

 

[JeffeVerde]

-ran combofix /u
-deleted combofix.exe and the RC installer
-downloaded a fresh copy of combofix from bleepingcomputer.com
-ran combofix and let it install

=Combofix still gets the same two "access denied"s when it first happens, then 3 more after RC is installed.
=Still no entry RC entry in the startup

Here's the latest combofix log-

ComboFix 09-08-10.06 - Owner 08/13/2009 23:06.13.1 - NTFSx86
Running from: c:\documents and settings\Owner.YOUR-25A3BD3417\Desktop\COMBOF1X.exe.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-14 06:03 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 02:40 . 2009-07-13 18:43 -------- d-----w- c:\program files\Diablo II
2009-08-13 23:15 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-13 16:41 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 20:41 . 2009-07-13 18:55 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 20:39 . 2009-07-13 19:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 20:39 . 2009-07-13 19:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 20:39 . 2009-07-13 19:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]

.
Contents of the 'Scheduled Tasks' folder

2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2009-08-13 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 23:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1340)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(6920)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-14 23:12
ComboFix-quarantined-files.txt 2009-08-14 06:12
ComboFix2.txt 2009-08-13 06:16

Pre-Run: 60,747,603,968 bytes free
Post-Run: 60,730,408,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

231 --- E O F --- 2009-08-02 22:01