ComboFix 09-05-19.08 - Navdeep Bains 05/19/2009 22:32.2 - NTFSx86 NETWORK Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.735.629 [GMT -7:00] Running from: c:\documents and settings\Navdeep Bains\Desktop\movies2\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\test.txt c:\winnt1\system32\VBAR332.DLL c:\winnt1\Web\default.htt . ((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 ))))))))))))))))))))))))))))))) . 2050-04-10 03:30 . 2050-04-10 03:38 -------- d-----w c:\program files\Simply Accounting by Sage Setup Files 2050-04-09 15:12 . 2050-04-09 15:12 36970440 ----a-w C:\Backup001.reg 2050-04-09 15:11 . 2050-04-09 15:11 -------- d-----w C:\Reg Backup 2009-05-15 16:28 . 2009-05-15 16:28 -------- d-----w c:\winnt1\ERUNT 2009-05-15 16:08 . 2009-05-16 00:35 -------- d-----w C:\SDFix 2009-05-15 09:55 . 2009-05-15 09:55 16384 ----atw c:\winnt1\system32\Perflib_Perfdata_1cc.dat 2009-05-15 02:32 . 2009-05-15 02:40 -------- d-----w c:\program files\WhoCrashed 2009-05-14 13:31 . 2009-05-14 13:32 -------- d---a-w c:\documents and settings\All Users.WINNT1\Application Data\Spybot - Search & Destroy 2009-05-14 13:31 . 2009-05-16 01:46 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-05-13 14:58 . 2009-05-18 07:16 -------- d-----w C:\Rooter$ 2009-05-13 14:55 . 2009-05-13 14:55 -------- d-----w c:\program files\ERUNT 2009-05-03 12:34 . 2009-05-03 12:34 -------- d-----w c:\winnt1\Crystal 2009-05-03 12:34 . 1998-11-15 23:00 229888 ----a-w c:\winnt1\system32\CRPAIG32.DLL 2009-05-03 12:34 . 1996-06-08 03:07 43008 ----a-w c:\winnt1\system32\LTFIL60N.DLL 2009-05-03 12:34 . 1995-02-15 07:11 17920 ----a-w c:\winnt1\system32\IMPLODE.DLL 2009-05-03 12:34 . 1999-06-22 00:00 5797888 ----a-w c:\winnt1\system32\CRPE32.DLL 2009-05-03 12:34 . 1996-06-08 03:07 192512 ----a-w c:\winnt1\system32\LTKRN60N.DLL 2009-05-02 22:07 . 2005-08-26 02:18 118784 ----a-w c:\winnt1\system32\MSSTDFMT.DLL 2009-05-02 22:07 . 2009-05-02 22:10 -------- d-----w c:\program files\SpywareBlaster 2009-05-02 22:04 . 2009-05-02 22:04 -------- d-----w c:\documents and settings\All Users.WINNT1\Application Data\SUPERAntiSpyware.com 2009-05-02 22:04 . 2009-05-02 22:04 -------- d-----w c:\program files\SUPERAntiSpyware 2009-05-02 22:04 . 2009-05-02 22:04 -------- d-----w c:\documents and settings\Navdeep Bains\Application Data\SUPERAntiSpyware.com 2009-05-02 22:03 . 2009-05-02 22:03 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-05-02 05:35 . 2009-05-14 16:35 -------- d-----w c:\program files\Alwil Software 2009-05-01 14:53 . 2009-05-15 14:10 -------- d-----w c:\program files\EsetOnlineScanner 2009-04-30 14:53 . 2009-03-27 08:16 12672 ----a-w c:\winnt1\system32\drivers\cpuz132_x32.sys 2009-04-30 14:53 . 2009-04-30 14:53 -------- d-----w c:\program files\CPUID 2009-04-23 15:14 . 2009-04-23 15:14 61440 ----a-w c:\winnt1\system32\drivers\mhbhgk.sys 2009-04-23 13:47 . 2009-04-23 13:47 -------- d-----w c:\documents and settings\Navdeep Bains\Application Data\Malwarebytes 2009-04-23 13:46 . 2009-04-06 22:32 15504 ----a-w c:\winnt1\system32\drivers\mbam.sys 2009-04-23 13:46 . 2009-04-06 22:32 38496 ----a-w c:\winnt1\system32\drivers\mbamswissarmy.sys 2009-04-23 13:46 . 2009-04-23 13:46 -------- d-----w c:\documents and settings\All Users.WINNT1\Application Data\Malwarebytes 2009-04-23 13:46 . 2009-04-23 13:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-23 13:23 . 2009-04-23 13:23 -------- d-----w c:\program files\uTorrent 2009-04-23 13:23 . 2009-05-12 07:33 -------- d-----w c:\documents and settings\Navdeep Bains\Application Data\uTorrent 2009-04-22 14:34 . 2009-04-22 14:34 -------- d-----w c:\program files\AAA Screensavers 2009-04-22 14:34 . 2009-04-22 14:34 -------- d-----w c:\winnt1\Icons . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2050-04-11 16:17 . 2008-02-08 04:34 664 ----a-w c:\winnt1\system32\d3d9caps.dat 2050-04-10 06:18 . 2003-03-20 07:13 -------- d--h--w c:\program files\InstallShield Installation Information 2009-05-12 17:20 . 2008-10-23 14:22 -------- d-----w c:\program files\DNA 2009-05-05 14:24 . 2008-03-01 16:13 -------- d-----w c:\program files\2007T1W 2009-05-03 12:35 . 2006-03-24 04:55 -------- d---a-w c:\program files\Winsim 2009-04-28 06:06 . 2005-08-19 04:39 -------- d---a-w c:\program files\NIOC Service 2009-04-28 06:06 . 2005-08-19 04:39 -------- d---a-w c:\program files\WZCBDL Service 2009-04-23 15:14 . 2009-04-23 15:14 564530 ----a-w c:\program files\bjvamgu.txt 2009-04-17 14:13 . 2009-04-17 06:24 102664 ----a-w c:\winnt1\system32\drivers\tmcomm.sys 2009-04-17 10:09 . 2007-05-21 03:23 26783659 ----a-w c:\winnt1\system32\drivers\fwdrv.err 2009-04-06 06:40 . 2007-02-21 02:44 11816 ----a-w c:\documents and settings\Navdeep Bains\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-04 17:50 . 2009-02-04 01:31 -------- d-----w c:\program files\QuickTax 2008 2009-04-02 07:33 . 2009-04-02 07:33 -------- d-----w c:\program files\Common Files\Macrovision Shared 2009-04-02 07:28 . 2003-03-27 01:05 -------- d---a-w c:\program files\Common Files\Adobe 2009-02-20 00:33 . 2009-02-20 00:33 576512 ----a-w c:\winnt1\system32\WININET.DLL 2009-02-19 09:36 . 2005-08-30 17:14 1223168 ----a-w c:\winnt1\system32\quartz.dll 2007-01-17 05:04 . 2003-03-15 00:12 271 ---h--w c:\program files\desktop.ini 2007-01-17 05:04 . 2003-03-15 00:12 21952 ---h--w c:\program files\folder.htt 2004-10-01 23:00 . 2007-02-07 20:58 40960 ----a-w c:\program files\Uninstall_CDS.exe 2007-03-27 07:56 . 2007-03-27 07:56 548864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll 2007-03-27 07:56 . 2007-03-27 07:56 626688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll 2008-09-07 15:21 . 2008-09-07 15:21 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2008-09-07 07:56 . 2008-09-02 15:23 24 --sha-w c:\winnt1\SBAE7AA5C.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 86016] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-07 29744] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "Synchronization Manager"="mobsync.exe" - c:\winnt1\system32\mobsync.exe [2003-06-19 111376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640] c:\documents and settings\User 1\Start Menu\Programs\Startup\ Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [1997-8-6 255440] c:\documents and settings\All Users.WINNT1\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\winnt1\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-4-2 295606] Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "aux"= mmdrv.dll "wave1"= "wave2"= "wave3"= "wave4"= "wave5"= "wave6"= "wave7"= "wave8"= "wave9"= "midi2"= "midi3"= "midi4"= "midi5"= "midi6"= "midi7"= "midi8"= "midi9"= "aux1"= "aux2"= "aux3"= "aux4"= "aux5"= "aux6"= "aux7"= "aux8"= "aux9"= "mixer1"= "mixer2"= "mixer3"= "mixer4"= "mixer5"= "mixer6"= "mixer7"= "mixer8"= "mixer9"= [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINNT1^Start Menu^Programs^Startup^D-Link AirPlus G Wireless Utility.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINNT1^Start Menu^Programs^Startup^D-Link REG Utility.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^Navdeep Bains^Start Menu^Programs^Startup^LimeWire On Startup.lnk] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean R1 aswSP;avast! Self Protection;c:\winnt1\system32\drivers\aswSP.sys [5/14/2009 9:36 AM 114768] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944] R2 aswFsBlk;aswFsBlk;c:\winnt1\system32\drivers\aswFsBlk.sys [5/14/2009 9:36 AM 20560] R2 aswMon;avast! Standard Shield Support;c:\winnt1\system32\drivers\aswmon.sys [5/14/2009 9:36 AM 93296] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408] R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt1\system32\drivers\usbhub20.sys [2/2/2007 6:46 PM 49776] S1 i740;i740;c:\winnt1\system32\drivers\i740nt5.sys [1/16/2007 10:14 PM 58800] S3 An986n;ADMtek AN986 USB 10/100 MAC;c:\winnt1\system32\drivers\An986n.sys [2/2/2007 6:55 PM 28968] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/4/2007 9:19 AM 29744] S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\winnt1\system32\drivers\PRISMUSB.sys [2/15/2007 7:29 PM 636502] S3 viafilter;VIA USB Filter;c:\winnt1\system32\drivers\viausb.sys [2/5/2007 11:35 AM 9038] --- Other Services/Drivers In Memory --- *NewlyCreated* - 738BD6EE7FF75DD3DE180FF6C5DD3C50 . Contents of the 'Scheduled Tasks' folder 2009-05-20 c:\winnt1\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-12-29 07:33] 2009-05-14 c:\winnt1\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-12-29 07:33] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html LSP: %SystemRoot%\system32\msafd.dll DPF: DirectAnimation Java Classes - file://c:\winnt1\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt1\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Navdeep Bains\Application Data\Mozilla\Firefox\Profiles\ey0dzdwt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-19 22:38 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(248) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\winnt1\system32\wzcdlg.dll c:\winnt1\system32\WZCSAPI.DLL - - - - - - - > 'explorer.exe'(1736) c:\winnt1\AppPatch\AcLayers.DLL c:\winnt1\system32\SHDOCVW.DLL c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll c:\program files\Common Files\Ahead\Lib\MSVCR71.dll c:\program files\Common Files\Ahead\Lib\MFC71U.DLL c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll c:\winnt1\system32\ODBC32.dll . Completion time: 2009-05-20 22:46 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-20 05:45 Pre-Run: 22,709,993,472 bytes free Post-Run: 22,702,751,744 bytes free 221 --- E O F --- 2009-05-13 14:27