ComboFix 10-09-13.01 - Nick 14/09/2010 2:30.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.269 [GMT 1:00] Running from: d:\documents and settings\Nick\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . d:\documents and settings\Nick\Application Data\999F2842073445E8336469C75258705F d:\documents and settings\Nick\Application Data\999F2842073445E8336469C75258705F\enemies-names.txt d:\documents and settings\Nick\Application Data\999F2842073445E8336469C75258705F\local.ini d:\documents and settings\Nick\Local Settings\Application Data\Windows Server d:\documents and settings\Nick\Local Settings\Application Data\Windows Server\server.dat d:\program files\WinPCap d:\program files\WinPCap\daemon_mgm.exe d:\program files\WinPCap\npf_mgm.exe d:\program files\WinPCap\rpcapd.exe d:\windows\system32\drivers\npf.sys d:\windows\system32\Packet.dll d:\windows\system32\pthreadVC.dll d:\windows\system32\WanPacket.dll d:\windows\system32\wpcap.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 ))))))))))))))))))))))))))))))) . 2010-09-13 23:27 . 2010-08-12 12:15 64288 ----a-w- d:\windows\system32\drivers\Lbd.sys 2010-09-13 23:24 . 2010-09-13 23:24 -------- d-----w- d:\documents and settings\Nick\Local Settings\Application Data\Sunbelt Software 2010-09-13 23:21 . 2010-09-13 23:21 -------- dc-h--w- d:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70} 2010-09-13 23:19 . 2010-09-13 23:27 -------- d-----w- d:\documents and settings\All Users\Application Data\Lavasoft 2010-09-13 23:19 . 2010-09-13 23:19 -------- d-----w- d:\program files\Lavasoft 2010-09-10 00:36 . 2010-09-14 01:13 -------- d-----w- d:\documents and settings\Nick\Application Data\ZumoCast 2010-09-06 13:47 . 2010-09-06 13:47 -------- d-s---w- d:\documents and settings\NetworkService\UserData 2010-08-31 20:42 . 2010-08-31 20:42 -------- d-----w- d:\documents and settings\Nick\Application Data\Malwarebytes 2010-08-31 20:42 . 2010-04-29 14:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys 2010-08-31 20:42 . 2010-08-31 20:42 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware 2010-08-31 20:42 . 2010-08-31 20:42 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes 2010-08-31 20:42 . 2010-04-29 14:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys 2010-08-31 20:39 . 2010-08-31 20:39 -------- d-----w- d:\program files\Trend Micro 2010-08-28 19:06 . 2010-08-28 19:24 -------- d-----w- d:\program files\GN-ACtoolclient . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-14 01:56 . 2010-02-15 01:31 -------- d-----w- d:\program files\Steam 2010-09-14 01:53 . 2010-02-09 18:05 2554239 ----a-w- d:\windows\Internet Logs\tvDebug.Zip 2010-09-13 23:47 . 2010-02-15 15:03 -------- d-----w- d:\program files\YouTube Downloader 2010-09-13 17:26 . 2010-09-13 17:27 1939968 ----a-w- d:\windows\Internet Logs\xDB6.tmp 2010-09-13 00:39 . 2010-02-11 23:44 -------- d-----w- d:\documents and settings\Nick\Application Data\BitTorrent 2010-09-05 12:49 . 2010-07-30 15:47 -------- d-----w- d:\program files\Microsoft Silverlight 2010-09-01 00:45 . 2010-09-01 00:47 1921536 ----a-w- d:\windows\Internet Logs\xDB5.tmp 2010-09-01 00:41 . 2010-02-08 19:49 -------- d-----w- d:\documents and settings\Nick\Application Data\NoNameScript 2010-08-31 22:15 . 2010-02-08 19:48 -------- d-----w- d:\program files\mIRC 2010-08-31 20:39 . 2010-08-31 20:39 388096 ----a-r- d:\documents and settings\Nick\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-08-22 23:42 . 2010-02-11 01:14 -------- d-----w- d:\documents and settings\Nick\Application Data\vlc 2010-08-17 15:05 . 2010-02-24 22:31 -------- d-----w- d:\program files\PartyGaming 2010-08-12 13:25 . 2010-02-09 00:20 -------- d-----w- d:\program files\World of Warcraft 2010-08-12 12:16 . 2010-09-13 23:21 2979848 -c--a-w- d:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe 2010-08-08 13:19 . 2010-08-08 13:19 12536 ----a-w- d:\windows\system32\avgrsstx.dll 2010-08-08 13:19 . 2010-02-08 19:45 29584 ----a-w- d:\windows\system32\drivers\avgmfx86.sys 2010-08-08 13:18 . 2010-02-08 19:45 216400 ----a-w- d:\windows\system32\drivers\avgldx86.sys 2010-08-06 01:48 . 2010-02-09 16:47 -------- d-----w- d:\documents and settings\Nick\Application Data\FileZilla 2010-08-03 18:18 . 2010-08-03 18:18 503808 ----a-w- d:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-16d9e53d-n\msvcp71.dll 2010-08-03 18:18 . 2010-08-03 18:18 499712 ----a-w- d:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-16d9e53d-n\jmc.dll 2010-08-03 18:18 . 2010-08-03 18:18 348160 ----a-w- d:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-16d9e53d-n\msvcr71.dll 2010-08-03 18:18 . 2010-08-03 18:18 61440 ----a-w- d:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-42738f99-n\decora-sse.dll 2010-08-03 18:18 . 2010-08-03 18:18 12800 ----a-w- d:\documents and settings\Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-42738f99-n\decora-d3d.dll 2010-07-31 12:18 . 2010-02-08 19:15 14080 ----a-w- d:\documents and settings\Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-30 15:50 . 2010-07-30 15:48 -------- d-----w- d:\documents and settings\Nick\Application Data\Mozilla-Cache 2010-07-01 02:49 . 2010-07-01 12:38 1856512 ----a-w- d:\windows\Internet Logs\xDB4.tmp 2010-06-30 12:31 . 2002-09-03 16:58 149504 ----a-w- d:\windows\system32\schannel.dll 2010-06-24 12:10 . 2004-08-04 07:56 81920 ------w- d:\windows\system32\ieencode.dll 2010-06-24 12:10 . 2002-09-03 17:12 667136 ----a-w- d:\windows\system32\wininet.dll 2010-06-23 13:44 . 2002-09-03 17:11 1851904 ----a-w- d:\windows\system32\win32k.sys 2010-06-21 15:27 . 2002-09-03 17:04 354304 ----a-w- d:\windows\system32\drivers\srv.sys 2010-06-21 13:06 . 2010-06-21 13:06 72504 ----a-w- d:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe 2010-06-17 16:14 . 2010-06-17 16:14 50354 ----a-w- d:\documents and settings\Nick\Application Data\Facebook\uninstall.exe 2010-06-17 14:03 . 2002-09-03 16:34 80384 ----a-w- d:\windows\system32\iccvid.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00ZumoCast] @="{D25B32FE-CB96-491A-98FF-AD59DA382D69}" [HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}] 2010-09-08 03:11 748544 ----a-w- c:\program files\ZumoCast\ShellExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01ZumoCast] @="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}" [HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}] 2010-09-08 03:11 748544 ----a-w- c:\program files\ZumoCast\ShellExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02ZumoCast] @="{B3C78E40-6B64-47C3-AE34-60B770881EB8}" [HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}] 2010-09-08 03:11 748544 ----a-w- c:\program files\ZumoCast\ShellExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03ZumoCast] @="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}" [HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}] 2010-09-08 03:11 748544 ----a-w- c:\program files\ZumoCast\ShellExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04ZumoCast] @="{855156F0-2A0F-11DE-8C30-0800200C9A66}" [HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}] 2010-09-08 03:11 748544 ----a-w- c:\program files\ZumoCast\ShellExt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "Steam"="d:\program files\steam\steam.exe" [2010-08-24 1242448] "WMPNSCFG"="d:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "ZumoCast"="c:\program files\ZumoCast\ZumoLauncher.lnk" [2010-09-10 728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536] "NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2010-01-11 110696] "NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2010-01-11 13666408] "AVG9_TRAY"="d:\progra~1\AVG\AVG9\avgtray.exe" [2010-08-08 2065760] "ZoneAlarm Client"="d:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824] "SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504] "Lexmark X1100 Series"="d:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "Wireless Manager"="d:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728] "QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="d:\windows\System32\CTFMON.EXE" [2008-04-14 15360] d:\documents and settings\All Users\Start Menu\Programs\Startup\ Air Mouse.lnk - d:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-2-11 504832] Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2010-2-10 813584] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-08-08 13:19 12536 ----a-w- d:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2009-07-20 12:28 72208 ----a-w- d:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "d:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "d:\\Program Files\\mIRC\\mirc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\Program Files\\World of Warcraft\\Launcher.exe"= "d:\\Program Files\\World of Warcraft\\WoW-3.2.0-enGB-downloader.exe"= "d:\\Documents and Settings\\Nick\\Desktop\\AdsBot\\mirc.exe"= "d:\\Program Files\\BitTorrent\\bittorrent.exe"= "d:\\Program Files\\Steam\\Steam.exe"= "d:\\Program Files\\Ventrilo\\Ventrilo.exe"= "d:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"= "d:\\Program Files\\Bonjour\\mDNSResponder.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= "d:\\Program Files\\Steam\\steamapps\\maverick_2004\\counter-strike\\hl.exe"= "c:\\Program Files\\ZumoCast\\zumocast.exe"= R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [14/09/2010 00:27 64288] R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [08/02/2010 20:45 216400] R2 avg9wd;AVG Free WatchDog;d:\program files\AVG\AVG9\avgwdsvc.exe [08/08/2010 14:19 308136] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 13:15 1355416] R2 LBeepKE;LBeepKE;d:\windows\system32\drivers\LBeepKE.sys [10/02/2010 15:47 10384] S3 Lavasoft Kernexplorer;Lavasoft helper driver;d:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 13:15 15008] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-09-14 d:\windows\Tasks\Ad-Aware Update (Weekly).job - d:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15] . . ------- Supplementary Scan ------- . DPF: DirectAnimation Java Classes - file://d:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab FF - ProfilePath - d:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\z9nlmwq4.default\ FF - plugin: d:\documents and settings\Nick\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: d:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\z9nlmwq4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: d:\program files\Veetle\Player\npvlc.dll FF - plugin: d:\program files\Veetle\plugins\npVeetle.dll FF - plugin: d:\program files\Veetle\VLCBroadcast\npvbp.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKLM-Run-nwiz - nwiz.exe HKLM-Run-CmUsbSound - cmcnfgu.cpl ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-14 02:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) d:\program files\common files\logishrd\bluetooth\LBTWlgn.dll d:\program files\common files\logishrd\bluetooth\LBTServ.dll - - - - - - - > 'explorer.exe'(2568) d:\program files\Logitech\SetPoint\GameHook.dll d:\program files\Logitech\SetPoint\lgscroll.dll c:\program files\ZumoCast\ShellExt.dll d:\windows\system32\WPDShServiceObj.dll d:\windows\system32\PortableDeviceTypes.dll d:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . d:\windows\system32\nvsvc32.exe d:\program files\AVG\AVG9\avgchsvx.exe d:\program files\AVG\AVG9\avgrsx.exe d:\program files\AVG\AVG9\avgcsrvx.exe d:\windows\system32\LEXBCES.EXE d:\windows\system32\LEXPPS.EXE d:\program files\Virgin Broadband Wireless\AffinegyService.exe d:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe d:\program files\Bonjour\mDNSResponder.exe d:\program files\Java\jre6\bin\jqs.exe d:\program files\Windows Media Player\WMPNetwk.exe d:\windows\System32\wbem\unsecapp.exe d:\windows\SOUNDMAN.EXE d:\windows\system32\RUNDLL32.EXE d:\windows\system32\RunDll32.exe d:\windows\system32\rundll32.exe d:\program files\Lexmark X1100 Series\lxbkbmon.exe d:\program files\Virgin Broadband Wireless\ndis_events.exe c:\program files\ZumoCast\ZumoCast.exe d:\program files\iPod\bin\iPodService.exe d:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE d:\program files\Lavasoft\Ad-Aware\AAWTray.exe . ************************************************************************** . Completion time: 2010-09-14 03:03:26 - machine was rebooted ComboFix-quarantined-files.txt 2010-09-14 02:02 Pre-Run: 146,777,972,736 bytes free Post-Run: 149,874,847,744 bytes free - - End Of File - - 7DA32C6F0D23E5AF0406195285B8A066