ComboFix 08-03-30.4 - Ryan 2008-03-31 19:57:43.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.380 [GMT -2.5:30] Running from: C:\Users\Ryan\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Inet Delivery C:\Program Files\Inet Delivery\inetdl.exe C:\Program Files\Inet Delivery\intdel.exe C:\Users\Ryan\Desktopblackbird.jpg C:\Users\Ryan\DesktopEditorFKWP1.5.exe C:\Users\Ryan\DesktopEditorFKWP2.0.exe C:\Users\Ryan\Desktopfkwp1.5.exe C:\Users\Ryan\Desktopfkwp2.0.exe C:\Users\Ryan\DesktopTrojan.Win32.BlackBird.exe C:\Windows\FVProtect.exe C:\Windows\mslagent C:\Windows\mslagent\2_mslagent.dll C:\Windows\mslagent\mslagent.exe C:\Windows\mslagent\uninstall.exe C:\Windows\rs.txt C:\Windows\Web\def.htm . ((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-31 22:31 --------- d-----w C:\Users\Ryan\AppData\Roaming\DNA 2008-03-30 21:23 --------- d-----w C:\Program Files\Trend Micro 2008-03-30 19:44 --------- d-----w C:\Users\Ryan\AppData\Roaming\BitTorrent 2008-03-30 19:39 --------- d-----w C:\Users\Ryan\AppData\Roaming\Grisoft 2008-03-30 19:38 --------- d-----w C:\ProgramData\Grisoft 2008-03-30 16:45 --------- d-----w C:\Users\Ryan\AppData\Roaming\STOIK 2008-03-30 16:45 --------- d-----w C:\Program Files\STOIK Imaging 2008-03-30 16:33 --------- d-----w C:\Users\Ryan\AppData\Roaming\BearShare 2008-03-29 18:48 --------- d-----w C:\Program Files\Yahoo! 2008-03-29 01:49 86,528 ----a-w C:\Windows\System32\VACFix.exe 2008-03-28 09:51 --------- d-----w C:\ProgramData\Lavasoft 2008-03-28 09:48 --------- d-----w C:\Program Files\Lavasoft 2008-03-28 09:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-26 11:20 82,432 ----a-w C:\Windows\System32\IEDFix.exe 2008-03-23 02:23 --------- d-----w C:\ProgramData\Yahoo! 2008-03-15 13:32 22 ----a-w C:\Users\All Users\ReturnCounter.dat 2008-03-15 13:32 22 ----a-w C:\ProgramData\ReturnCounter.dat 2008-03-15 12:34 --------- d-----w C:\Program Files\Phanku eTaxCanada 2007 2008-03-12 05:42 --------- d-----w C:\Program Files\Windows Mail 2008-03-12 05:36 --------- d-----w C:\ProgramData\Microsoft Help 2008-03-05 00:49 --------- d-----w C:\Program Files\Instant CD & DVD Burner 2008-03-02 17:39 --------- d-----w C:\Program Files\Xvid 2008-02-29 00:55 --------- d-----w C:\Users\Ryan\AppData\Roaming\Elluminate 2008-02-20 12:32 --------- d-----w C:\ProgramData\Office Genuine Advantage 2008-02-14 15:49 194,560 ----a-w C:\Windows\System32\WebClnt.dll 2008-02-14 15:49 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys 2008-02-14 15:42 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys 2008-02-14 15:42 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe 2008-02-14 15:42 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe 2008-02-14 15:42 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys 2008-02-14 15:42 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys 2008-02-14 15:42 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys 2008-02-14 15:42 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys 2008-02-14 15:40 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys 2008-02-14 15:40 24,064 ----a-w C:\Windows\System32\netcfg.exe 2008-02-14 15:40 22,016 ----a-w C:\Windows\System32\netiougc.exe 2008-02-14 15:40 216,632 ----a-w C:\Windows\system32\drivers\netio.sys 2008-02-14 15:40 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll 2008-02-14 15:39 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-02-14 15:39 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll 2008-02-14 15:39 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll 2008-02-14 15:39 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll 2008-02-14 15:39 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll 2008-02-14 15:39 1,686,528 ----a-w C:\Windows\System32\gameux.dll 2008-02-14 15:05 824,832 ----a-w C:\Windows\System32\wininet.dll 2008-02-14 15:05 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-02-14 15:04 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-02-14 15:04 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2008-02-06 06:31 --------- d-----w C:\Program Files\MSXML 4.0 2008-02-04 22:29 --------- d-----w C:\Program Files\Rainbow Technologies 2008-02-04 22:07 --------- d-----w C:\Program Files\ESRI 2008-02-04 22:06 --------- d-----w C:\Users\Ryan\AppData\Roaming\ESRI 2008-02-04 21:52 --------- d-----w C:\ProgramData\ESRI 2008-02-04 21:52 --------- d-----w C:\Program Files\Common Files\ESRI 2008-02-04 21:51 --------- d-----w C:\Program Files\ArcGIS 2008-02-04 21:50 --------- d-----w C:\Program Files\Leica Geosystems 2008-02-03 16:24 --------- d-----w C:\Users\Ryan\AppData\Roaming\LimeWire 2008-02-01 21:50 --------- d-----w C:\Program Files\LimeWire 2008-02-01 21:40 --------- d-----w C:\Program Files\Ares 2008-02-01 21:22 --------- d-----w C:\Program Files\BearShare Applications 2008-01-19 20:57 229,888 ----a-w C:\Windows\System32\msshsq.dll 2008-01-10 05:50 1,244,672 ----a-w C:\Windows\System32\mcmde.dll 2008-01-09 06:32 11,776 ----a-w C:\Windows\System32\sbunattend.exe 2007-12-14 14:02 12,632 ----a-w C:\Windows\System32\lsdelete.exe 2007-12-13 22:05 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL 2007-12-13 22:05 223,232 ----a-w C:\Windows\System32\WMASF.DLL 2007-12-13 22:05 1,327,104 ----a-w C:\Windows\System32\quartz.dll 2007-12-08 13:04 174 --sha-w C:\Program Files\desktop.ini 2007-12-08 12:39 8,192 ----a-w C:\Windows\System32\riched32.dll 2007-12-08 12:37 87,040 ----a-w C:\Windows\System32\msoert2.dll 2007-12-08 12:37 39,424 ----a-w C:\Windows\System32\ACCTRES.dll 2007-12-08 12:37 205,824 ----a-w C:\Windows\System32\msoeacct.dll 2007-12-08 12:35 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr 2007-12-08 12:35 67,584 ----a-w C:\Windows\System32\wlanhlp.dll 2007-12-08 12:35 542,720 ----a-w C:\Windows\System32\sysmain.dll 2007-12-08 12:35 502,784 ----a-w C:\Windows\System32\wlansvc.dll 2007-12-08 12:35 47,104 ----a-w C:\Windows\System32\wlanapi.dll 2007-12-08 12:35 297,984 ----a-w C:\Windows\System32\wlansec.dll 2007-12-08 12:35 290,816 ----a-w C:\Windows\System32\wlanmsm.dll 2007-12-08 12:35 24,064 ----a-w C:\Windows\System32\wtsapi32.dll 2007-12-08 12:35 2,923,520 ----a-w C:\Windows\explorer.exe 2007-12-08 12:35 2,027,008 ----a-w C:\Windows\System32\win32k.sys 2007-12-08 12:32 49,664 ----a-w C:\Windows\System32\csrsrv.dll 2007-12-08 12:32 376,320 ----a-w C:\Windows\System32\winsrv.dll 2007-12-08 12:21 414,208 ----a-w C:\Windows\System32\msscp.dll 2007-12-08 12:19 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL 2007-12-08 12:19 7,680 ----a-w C:\Windows\System32\spwmp.dll 2007-12-08 12:19 4,096 ----a-w C:\Windows\System32\dxmasf.dll 2007-12-08 12:19 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll 2007-12-08 12:17 86,016 ----a-w C:\Windows\System32\icfupgd.dll 2007-12-08 12:17 61,952 ----a-w C:\Windows\System32\cmifw.dll 2007-12-08 12:17 396,800 ----a-w C:\Windows\System32\MPSSVC.dll 2007-12-08 12:17 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll 2007-12-08 12:17 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll 2007-12-08 12:17 16,896 ----a-w C:\Windows\System32\wfapigp.dll 2007-12-08 12:14 104,448 ----a-w C:\Windows\System32\DWWIN.EXE 2007-12-08 12:13 1,191,936 ----a-w C:\Windows\System32\msxml3.dll 2007-12-08 12:11 8,704 ----a-w C:\Windows\System32\hcrstco.dll 2007-12-08 12:11 8,704 ----a-w C:\Windows\System32\hccoin.dll 2007-12-08 12:02 57,856 ----a-w C:\Windows\System32\SLUINotify.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 04:02 1232896] "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 10:04 2159104 C:\Windows\System32\oobefldr.dll] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 10:05 125440] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-18 20:02 171448] "BitTorrent DNA"="C:\Users\Ryan\Program Files\DNA\btdna.exe" [2008-03-28 22:08 288576] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 21:35 200704] "BurnQuick Queue"="C:\Program Files\BurnQuick\BQTray.exe" [2007-09-01 14:27 49152] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 06:55 6731312] C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-12-02 20:36:46 557568] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "HjfnwIoLfU"= C:\ProgramData\rsnozato\vwvefena.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{1B3DB89A-F5A7-49C8-BF26-6F10B83D7A27}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{CAF5073B-2C19-41EB-AFA8-AAC2F80610F7}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{7C1F7874-419E-449C-ABA3-2A41267545EA}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{8CE5ED71-063D-4BC7-861F-0A37E574A459}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{E388FA1F-6269-4F6C-BE36-AFF381FA07D8}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{8C2A6BA2-9E61-453E-A645-1B8B201197C6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "TCP Query User{2E5EE33A-F57B-4696-984B-6C9F71FA04D1}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{F27363B1-1D4F-4291-94E0-D8FF95FCC853}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "{480D15B6-AE2B-432C-8611-7771573631D2}"= UDP:C:\Program Files\DNA\btdna.exe:DNA "{C5E6FD5A-316F-42B5-8C65-977143777CAF}"= TCP:C:\Program Files\DNA\btdna.exe:DNA "{311E2913-5386-4280-A3FA-E8F35622BD85}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent "{55298B93-F4F2-47BC-A1DD-BE1BE9DCDE6B}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent "TCP Query User{A3C14A61-CC3D-4D10-8F49-61C2041D3941}C:\\program files\\bearshare applications\\bearshare\\bearshare.exe"= UDP:C:\program files\bearshare applications\bearshare\bearshare.exe:BearShare "UDP Query User{D75C2FC2-88CB-411D-95FD-B9434C0FB37A}C:\\program files\\bearshare applications\\bearshare\\bearshare.exe"= TCP:C:\program files\bearshare applications\bearshare\bearshare.exe:BearShare "TCP Query User{010F1C26-DD9E-4CBA-9204-FBAF67BD15A3}C:\\program files\\ares\\ares.exe"= UDP:C:\program files\ares\ares.exe:Ares p2p for windows "UDP Query User{88D2B9F7-E4FC-401E-9141-87B2161F2BCA}C:\\program files\\ares\\ares.exe"= TCP:C:\program files\ares\ares.exe:Ares p2p for windows "TCP Query User{3737C091-3163-4D2D-B3C2-A38FEB300D7D}C:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= UDP:C:\program files\java\jre1.6.0_03\bin\javaw.exe:Java(TM) Platform SE binary "UDP Query User{AA91A095-9CB1-48E9-BC04-280F81E84000}C:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= TCP:C:\program files\java\jre1.6.0_03\bin\javaw.exe:Java(TM) Platform SE binary "{ACCCBF33-236B-4E28-880C-09E4C89C86D0}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{D00121FC-70A6-4E43-9E58-F35A341C3A68}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{647E52C6-EB5D-4484-82AF-36E91D2B336E}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{522E0793-53A8-45B5-9DF0-CDE4856F251B}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent R3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 05:00] R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-01-19 01:03] R3 VST_DPV;VST_DPV;C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 05:11] R3 VSTHWATI;VSTHWATI;C:\Windows\system32\DRIVERS\VSTATI3.SYS [2006-11-02 05:11] S0 OemBiosDevice;Royalty OEM BIOS Extension;C:\Windows\system32\DRIVERS\royal.sys [2007-03-02 10:49] S2 ArcGIS License Manager;ArcGIS License Manager;C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe [1999-12-01 13:38] . Contents of the 'Scheduled Tasks' folder "2008-03-31 19:07:26 C:\Windows\Tasks\User_Feed_Synchronization-{082C516C-27E8-4410-9FB4-74962EC78A15}.job" - C:\Windows\system32\msfeedssync.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-31 20:01:14 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-31 20:02:17 ComboFix-quarantined-files.txt 2008-03-31 22:32:13 The system cannot find message text for message number 0x2379 in the message file for Application. The system cannot find message text for message number 0x2379 in the message file for Application. . 2008-03-26 09:38:18 --- E O F ---