ComboFix 09-10-12.02 - Christopher 10/12/2009 21:30.3.2 - NTFSx86 Running from: c:\documents and settings\Christopher\Desktop\paint.bat.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\win32k.sys . ---- Previous Run ------- . c:\program files\Shared c:\windows\system32\xwreg32.dll c:\windows\win32k.sys -- Previous Run -- c:\windows\system32\eventlog.dll . . . is infected!! -- Previous Run -- c:\windows\system32\eventlog.dll . . . is infected!! -------- c:\windows\system32\eventlog.dll . . . is infected!! -------- Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_.NET_CLR -------\Legacy_NWCWORKSTATION -------\Legacy_ONESTEP_SEARCH_SERVICE -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Service_.Net CLR -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} ((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 ))))))))))))))))))))))))))))))) . 2009-10-12 23:52 . 2009-10-12 23:52 472142 ----a-w- C:\root.exe 2009-10-12 23:50 . 2009-10-12 23:50 271950 ----a-w- C:\TFC.exe 2009-10-12 23:43 . 2009-10-12 23:43 3337771 ----a-w- C:\cizombo.exe 2009-10-12 23:36 . 2009-10-12 23:36 -------- d-----w- c:\program files\Malts 2009-10-12 22:54 . 2009-10-12 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-10-12 22:54 . 2009-10-13 02:35 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-10-12 22:54 . 2009-10-12 22:54 -------- d-----w- c:\documents and settings\Christopher\Application Data\SUPERAntiSpyware.com 2009-10-12 22:05 . 2009-10-12 22:23 -------- d-----w- C:\fire 2009-10-12 22:03 . 2009-10-12 17:51 3337593 ----a-r- C:\fire.exe 2009-10-12 01:03 . 2009-10-12 01:03 -------- d-----w- c:\windows\system32\drivers\NAV 2009-10-12 01:03 . 2009-10-12 01:03 -------- d-----w- c:\program files\Windows Sidebar 2009-10-12 00:48 . 2009-10-12 17:18 -------- d-----w- c:\program files\NortonInstaller 2009-10-11 23:23 . 2009-10-11 23:23 -------- d-----w- c:\documents and settings\Christopher\Application Data\Malwarebytes 2009-10-11 23:23 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-11 23:23 . 2009-10-11 23:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-11 23:23 . 2009-10-11 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-11 23:23 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-11 23:15 . 2009-10-12 22:40 -------- d--h--w- c:\windows\PIF 2009-10-11 21:02 . 2009-10-11 21:03 -------- d-----w- c:\documents and settings\Christopher\Application Data\gtk-2.0 2009-10-11 21:02 . 2009-10-11 21:02 -------- d-----w- c:\documents and settings\Christopher\Local Settings\Application Data\Mupen64Plus 2009-10-11 21:00 . 2009-10-11 22:10 -------- d-----w- C:\N64 2009-10-11 18:41 . 2009-10-11 19:27 -------- d-----w- C:\SNES 2009-10-11 17:58 . 2009-10-13 01:11 -------- d-----w- C:\Gens 2009-10-11 17:06 . 2009-10-11 17:06 536293 ----a-w- c:\windows\system32\2b76f.dll 2009-10-11 15:50 . 2009-10-12 01:03 -------- d-----w- c:\program files\Norton AntiVirus 2009-10-11 15:20 . 2009-10-11 15:20 193544 ----a-w- C:\dvglbk.exe 2009-10-11 15:20 . 2009-10-11 15:20 9216 ----a-w- C:\wridiint.exe 2009-10-11 15:20 . 2009-10-11 15:20 19456 ----a-w- C:\dslagxb.exe 2009-10-11 15:20 . 2009-10-11 15:20 36352 ----a-w- C:\divqh.exe 2009-10-11 15:20 . 2009-10-11 15:20 79360 ----a-w- C:\houkh.exe 2009-10-11 15:20 . 2009-10-11 15:20 24576 ----a-w- C:\hgxs.exe 2009-10-11 14:49 . 2009-10-11 17:47 -------- d-----w- C:\Nintendo 2009-10-01 16:49 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys 2009-10-01 16:49 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2009-09-24 13:24 . 2009-09-24 13:24 -------- d-----w- c:\program files\Riverdeep 2009-09-24 13:24 . 2009-09-24 13:24 -------- d-----w- c:\program files\Uninstall_Trudy's Time House 2009-09-24 13:24 . 2009-09-24 13:24 -------- d--h--w- c:\program files\Zero G Registry 2009-09-24 13:24 . 2009-09-24 13:24 -------- d-----w- c:\program files\jre 2009-09-24 13:23 . 2009-09-24 13:23 -------- d--h--w- c:\documents and settings\Christopher\InstallAnywhere 2009-09-24 13:18 . 2009-09-24 13:18 -------- d-----w- c:\program files\NZRVR 2009-09-24 13:18 . 2009-09-24 13:18 -------- d-----w- c:\program files\Connection Wizard 2009-09-22 13:18 . 2009-09-22 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Adventure Workshop 2009-09-22 13:16 . 2009-09-29 20:28 -------- d-----w- c:\program files\Volcanic Panic 1st - 3rd Grade 2009-09-22 13:16 . 2009-09-22 13:16 -------- d-----w- c:\windows\Volcanic Panic 1st - 3rd Grade . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-12 22:54 . 2007-04-15 00:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-10-12 17:23 . 2009-01-10 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-10-12 17:18 . 2007-06-20 23:19 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-10-12 00:52 . 2009-01-10 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-10-12 00:43 . 2007-06-07 02:47 -------- d-----w- c:\program files\Hijac 2009-10-11 17:53 . 2007-05-05 18:49 -------- d-----w- c:\documents and settings\Christopher\Application Data\uTorrent 2009-10-11 16:02 . 2007-06-20 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-10-11 15:12 . 2007-04-27 23:13 -------- d-----w- c:\program files\Common Files\Adobe 2009-10-07 21:51 . 2009-01-14 00:09 -------- d-----w- c:\program files\Runes of Magic 2009-09-24 13:23 . 2009-09-24 13:23 13 ----a-w- c:\program files\test.txt 2009-09-24 13:08 . 2009-07-11 16:50 -------- d-----w- c:\program files\The Learning Company 2009-09-22 03:31 . 2009-07-22 10:50 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-09-15 22:03 . 2009-03-26 01:23 -------- d-----w- c:\documents and settings\Christopher\Application Data\Move Networks 2009-09-14 22:33 . 2007-04-20 15:48 -------- d-----w- c:\program files\Steam 2009-09-02 20:42 . 2007-05-04 20:13 -------- d-----w- c:\documents and settings\Christopher\Application Data\LimeWire 2009-08-29 15:58 . 2009-08-29 15:48 -------- d-----w- c:\program files\Runes of Magic Toimu 2009-08-17 01:36 . 2007-04-15 00:01 21624 ----a-w- c:\documents and settings\Christopher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-10-10 69632] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-10-10 69632] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Christopher^Start Menu^Programs^Startup^scandisk.dll] path=c:\documents and settings\Christopher\Start Menu\Programs\Startup\scandisk.dll backup=c:\windows\pss\scandisk.dllStartup [HKLM\~\startupfolder\C:^Documents and Settings^Christopher^Start Menu^Programs^Startup^scandisk.lnk] path=c:\documents and settings\Christopher\Start Menu\Programs\Startup\scandisk.lnk backup=c:\windows\pss\scandisk.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Symantec Core LC"=2 (0x2) "Norton AntiVirus"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HLSW\\hlsw.exe"= "c:\\Program Files\\utorrent\\utorrent.exe"= "c:\\Program Files\\Steam\\steamapps\\captainevers@yahoo.com\\counter-strike\\hl.exe"= "c:\\Program Files\\Steam\\steamapps\\captainevers@yahoo.com\\team fortress 2\\hl2.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"= "c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) "AllowOutboundSourceQuench"= 1 (0x1) "AllowOutboundParameterProblem"= 1 (0x1) "AllowOutboundTimeExceeded"= 1 (0x1) "AllowRedirect"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-22 1028432] R3 gkmixern;gkmixern;c:\docume~1\CHRIST~1\LOCALS~1\Temp\gkmixern.sys [x] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-06-02 2862428] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-07-03 64160] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480] S3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\DRIVERS\LNE100V5.sys [2001-10-24 36224] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] .Net CLR REG_MULTI_SZ .Net CLR [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c671a5f5-ea4c-11db-a24e-806d6172696f}] \Shell\AutoRun\command - D:\CDStart.exe \Shell\Install\Command - D:\Setup.exe . Contents of the 'Scheduled Tasks' folder 2009-10-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 03:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab FF - ProfilePath - c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\9d583dmt.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\documents and settings\Christopher\Application Data\Move Networks\plugins\npqmp071503000010.dll FF - plugin: c:\program files\Download Manager\npfpdlm.dll FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll FF - plugin: c:\program files\Octoshape Streaming Services\Christopher\octoprogram-L03-N00-U00-C00_0712211_000\npoctoshape.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll FF - HiddenExtension: XUL Cache: {72DC734F-8587-45AA-8371-926C1B9641B8} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{72DC734F-8587-45AA-8371-926C1B9641B8}\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - SafeBoot-aawservice AddRemove-12bbe590-c890-11d9-9669-0800200c9a66_is1 - c:\program files\Turbine\The Lord of the Rings Online\unins000.exe AddRemove-1dd6893e-4370-4b3e-a7ad-360606d2bbca_is1 - c:\program files\Turbine\The Lord of the Rings Online - Isengard\unins000.exe AddRemove-HijackThis - c:\documents and settings\Christopher\Desktop\HijackThis.exe AddRemove-Mupen64Plus - c:\n64\Mupen64Plus\uninstall.exe AddRemove-ShotOnline International - c:\program files\ShotOnline International\uninst.exe AddRemove-CrimeCraft - c:\program files\Vogster Entertainment\CrimeCraft\uninstall.exe AddRemove-NCsoft-Aion - c:\program files\ncsoft\launcher\NCLauncher.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-12 21:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-725345543-1390067357-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:15,fb,11,af,2f,b7,2e,9f,4f,31,67,1f,7a,1f,52,2a,08,d3,56,33,d1,b7,d9, 67,2d,b9,ed,eb,90,92,bb,d4,ee,a8,f8,23,55,a2,26,f2,c5,ec,57,72,6d,89,be,d6,\ "??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(416) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\iPod Access for Windows\iPAHelper.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe c:\program files\Lexmark X1100 Series\lxbkbmon.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-10-13 21:52 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-13 02:52 Pre-Run: 69,393,797,120 bytes free Post-Run: 69,415,424,000 bytes free Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5 255 --- E O F --- 2009-10-11 15:40