ComboFix 08-12-07.04 - Kane Hellebust 2008-12-08 20:01:51.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.734 [GMT -8:00] Running from: c:\documents and settings\Kane Hellebust\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Kane Hellebust\Application Data\Google\kjzna1562565.exe c:\documents and settings\Kane Hellebust\Application Data\Google\spcffwl.dll c:\program files\INSTALL.LOG c:\windows\system32\CNCFLeAR.DLL c:\windows\system32\CNCFLeCN.DLL c:\windows\system32\CNCFLeCZ.DLL c:\windows\system32\CNCFLeDE.DLL c:\windows\system32\CNCFLeDK.DLL c:\windows\system32\CNCFLeES.DLL c:\windows\system32\CNCFLeFI.DLL c:\windows\system32\CNCFLeFR.DLL c:\windows\system32\CNCFLeGR.DLL c:\windows\system32\CNCFLeHU.DLL c:\windows\system32\CNCFLeID.DLL c:\windows\system32\CNCFLeIT.DLL c:\windows\system32\CNCFLeKR.DLL c:\windows\system32\CNCFLeNL.DLL c:\windows\system32\CNCFLeNO.DLL c:\windows\system32\CNCFLePL.DLL c:\windows\system32\CNCFLePT.DLL c:\windows\system32\CNCFLeRU.DLL c:\windows\system32\CNCFLeSE.DLL c:\windows\system32\CNCFLeTH.DLL c:\windows\system32\CNCFLeTR.DLL c:\windows\system32\CNCFLeTW.DLL . ((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))))) . 2067-02-24 15:21 . 2003-02-05 04:02 79,947 --a------ c:\windows\fw20.vxd 2008-12-08 19:51 . 2008-12-08 19:51 d-------- c:\program files\Trend Micro 2008-12-08 19:15 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys 2008-12-08 19:15 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys 2008-12-08 19:14 . 2008-12-08 19:14 d--h----- c:\program files\CanonBJ 2008-12-08 19:14 . 2008-12-08 19:14 d--h----- c:\documents and settings\All Users\Application Data\CanonBJ 2008-12-08 19:06 . 2007-05-15 00:49 362,496 --a------ c:\windows\system32\CNMNPPM.DLL 2008-12-08 19:06 . 2007-05-15 00:49 142,336 --a------ c:\windows\system32\CNMNPUI.DLL 2008-12-08 19:06 . 2007-03-20 09:14 117,850 --a------ c:\windows\system32\Cnmnput.chm 2008-12-08 18:57 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys 2008-12-08 18:57 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys 2008-12-08 08:11 . 2008-12-08 08:11 61,440 --a------ c:\windows\system32\drivers\ntbu.sys 2008-12-07 22:26 . 2008-12-08 08:12 d-------- c:\program files\SpywareGuard 2008-12-07 22:21 . 2008-12-07 22:25 d-------- c:\program files\SpywareBlaster 2008-12-07 22:03 . 2008-12-07 22:03 d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-07 22:03 . 2008-12-07 22:03 d-------- c:\documents and settings\Kane Hellebust\Application Data\Malwarebytes 2008-12-07 22:03 . 2008-12-07 22:03 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-07 22:03 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-07 22:03 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-07 14:37 . 2008-12-07 14:37 d-------- c:\program files\Common Files\Adobe AIR 2008-12-07 14:24 . 2008-12-07 20:30 d-------- c:\program files\NOS 2008-12-07 14:24 . 2008-12-07 20:30 d-------- c:\documents and settings\All Users\Application Data\NOS 2008-11-18 21:01 . 2008-11-19 08:29 d-------- C:\bin 2008-11-18 20:21 . 2008-11-18 20:21 d-------- c:\windows\Sun 2008-11-18 19:22 . 2008-11-18 19:22 d-------- c:\program files\Lavalys 2008-11-17 21:18 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-11-17 21:17 . 2008-12-07 20:49 d-------- c:\program files\Java 2008-11-17 21:15 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll 2008-11-13 22:41 . 2007-01-25 21:55 83,760 -ra------ c:\windows\system32\SilSupp.cpl 2008-11-13 22:41 . 2007-01-25 21:55 69,168 -ra------ c:\windows\system32\drivers\SI3112.sys 2008-11-13 22:41 . 2007-01-25 21:55 17,328 -ra------ c:\windows\system32\drivers\SiWinAcc.sys 2008-11-13 22:41 . 2007-01-25 21:55 12,464 -ra------ c:\windows\system32\drivers\SiRemFil.sys 2008-11-11 16:06 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll 2008-11-11 16:01 . 2008-11-11 16:08 d-------- c:\program files\John Deere American Builder Deluxe 2008-11-10 22:24 . 2008-12-07 14:56 69 --a------ c:\windows\NeroDigital.ini 2008-11-10 22:21 . 2008-11-10 22:21 d-------- c:\program files\MSBuild 2008-11-10 22:17 . 2008-11-10 22:17 d-------- c:\windows\system32\XPSViewer 2008-11-10 22:17 . 2008-11-10 22:17 d-------- c:\program files\Reference Assemblies 2008-11-10 22:16 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll 2008-11-10 20:39 . 2008-11-10 20:41 d-------- c:\documents and settings\Kane Hellebust\Application Data\Nero 2008-11-10 19:49 . 2008-11-10 19:49 4,767 --a------ c:\windows\Irremote.ini 2008-11-10 19:43 . 2008-11-10 19:43 d-------- c:\program files\Windows Sidebar 2008-11-10 18:53 . 2008-11-10 19:47 d-------- c:\program files\Nero 2008-11-10 18:52 . 2008-11-10 21:02 d-------- c:\program files\Common Files\Nero 2008-11-10 18:52 . 2008-11-10 19:26 d-------- c:\documents and settings\All Users\Application Data\Nero . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\AVG7 2008-12-08 04:43 --------- d-----w c:\program files\Yahoo! 2008-12-08 04:41 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-08 03:49 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-07 23:33 --------- d-----w c:\documents and settings\Kane Hellebust\Application Data\uTorrent 2008-12-07 01:02 --------- d-----w c:\program files\Google 2008-11-19 03:19 --------- d-----w c:\program files\Creative 2008-11-11 10:07 --------- d-----w c:\program files\SpyHunter 2008-11-11 10:03 --------- d-----w c:\program files\CCleaner 2008-11-11 09:51 --------- d-----w c:\documents and settings\Kane Hellebust\Application Data\Lavasoft 2008-11-11 09:39 --------- d-----w c:\program files\Norton Antivirus 2008-11-11 06:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-11 02:46 --------- d-----w c:\program files\Ahead 2008-11-05 07:27 --------- d-----w c:\program files\Common Files\DirectX 2008-10-24 21:15 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-24 21:15 --------- d-----w c:\program files\PIXELA 2008-10-24 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2008-10-24 20:59 --------- d-----w c:\documents and settings\Kane Hellebust\Application Data\SUPERAntiSpyware.com 2008-10-24 20:57 --------- d-----w c:\program files\SUPERAntiSpyware 2008-10-15 06:47 --------- d-----w c:\program files\Land Desktop 3 2008-10-15 06:16 --------- d-----w c:\program files\Acoustica MP3 CD Burner 2008-10-15 04:39 --------- d-----w c:\program files\7-Zip 2008-10-15 04:27 --------- d-----w c:\program files\Microsoft ActiveSync 2008-10-15 02:39 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-04-02 04:43 256 ----a-w c:\documents and settings\Kane Hellebust\pool.bin 1997-06-23 20:06 287,504 --sha-w c:\windows\system32\Msxbse35.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] c:\documents and settings\Kane Hellebust\Start Menu\Programs\Startup\ SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= c:\program files\ffdshow\ffdshow.ax "msacm.divxa32"= msaud32_divx.acm [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "LiveNote"=livenote.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\WINDOWS\\liveupd.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Gnucleus\\Gnucleus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\DRIVERS\anvioctl.sys [2004-02-16 219104] R1 ANVOSDNT;ASUS Keyboard Filter Driver;c:\windows\system32\DRIVERS\anvosdnt.sys [2004-02-16 322859] R2 dmsmbios;dmsmbios;\??\c:\windows\System32\dmsmbios.sys [2000-05-03 16480] R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208] R3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 12160] S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-11-05 16512] S3 McAfeePF;McAfee Firewall Network Filter Miniport;c:\windows\system32\DRIVERS\fw220.sys [] S3 PCIDATA;PCIDATA;\??\E:\PCIDATA.sys [] S3 V0230Vfx;V0230Vfx;c:\windows\system32\DRIVERS\V0230Vfx.sys [2006-03-24 6272] S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\DRIVERS\V0230VID.sys [2006-09-29 500480] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53619aaf-3d13-11d9-b401-0007e9dfb692}] \Shell\AutoRun\command - F:\PortableRoboForm.exe *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-12-08 c:\windows\Tasks\Ad-Aware.job - c:\program files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe [] 2007-01-19 c:\windows\Tasks\MP Scheduled Quick Scan.job - c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [] 2008-12-08 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Smax4 - c:\documents and settings\Kane Hellebust\Application Data\Google\kjzna1562565.exe HKCU-Run-RemoteControl - (no file) HKLM-Run-RemoteCenter - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://att.yahoo.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = 127.0.0.1 uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\CTSUEng.ocx - c:\windows\Downloaded Program Files\CTSUEngn.ocx O16 -: {6C269571-C6D7-4818-BCA4-32A035E8C884} hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab c:\windows\Downloaded Program Files\CTSUEng.inf FireFox -: Profile - c:\documents and settings\Kane Hellebust\Application Data\Mozilla\Firefox\Profiles\lria1u3f.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF -: plugin - c:\program files\Yahoo!\Common\npyaxmpb.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-08 20:03:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-12-08 20:05:08 ComboFix-quarantined-files.txt 2008-12-09 04:04:49 Pre-Run: 3,693,527,040 bytes free Post-Run: 3,669,491,712 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 216 --- E O F --- 2008-11-11 11:34:00