ComboFix 08-05-28.2 - Big Daddy 2008-05-28 18:33:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1423 [GMT -4:00]
Running from: C:\Documents and Settings\Big Daddy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Big Daddy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Zach\Application Data\macromedia\Flash Player\#SharedObjects\CURCNSMH\www.broadcaster.com
C:\Documents and Settings\Zach\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Zach\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aIQBaccf.ini
C:\WINDOWS\system32\lcdersuu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\xgeheido.ini
C:\WINDOWS\system32\yvmuwwha.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.
2008-05-28 18:30 . 2008-05-28 18:30 1,819,505 --a------ C:\Temp\ComboFix.exe
2008-05-26 15:24 . 2008-05-26 15:24 268 --ah----- C:\sqmdata01.sqm
2008-05-26 15:24 . 2008-05-26 15:24 244 --ah----- C:\sqmnoopt01.sqm
2008-05-24 10:34 . 2008-05-24 17:49 <DIR> d-------- C:\Documents and Settings\Big Daddy\DoctorWeb
2008-05-24 10:34 . 2008-05-24 10:34 10,559,128 --a------ C:\Temp\drweb-cureit.exe
2008-05-23 21:45 . 2008-05-23 21:45 <DIR> d-------- C:\Documents and Settings\Zachary\Contacts
2008-05-21 21:46 . 2008-05-21 21:46 6,039,048 --a------ C:\Temp\Firefox Setup 2.0.0.14.exe
2008-05-21 19:59 . 2008-05-21 19:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 19:59 . 2008-05-21 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 19:56 . 2008-05-21 20:04 50,688 --a------ C:\Temp\ATF-Cleaner.exe
2008-05-18 21:49 . 2008-05-18 21:49 268 --ah----- C:\sqmdata00.sqm
2008-05-18 21:49 . 2008-05-18 21:49 244 --ah----- C:\sqmnoopt00.sqm
2008-05-18 21:24 . 2008-05-18 21:24 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-05-18 21:11 . 2008-05-28 18:10 13,764 --a------ C:\logfile
2008-05-18 21:05 . 2008-05-18 21:05 <DIR> d-------- C:\Program Files\Kodak
2008-05-18 21:01 . 2008-05-18 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-05-18 20:52 . 2008-05-18 20:52 <DIR> d-------- C:\Documents and Settings\Zachary\Zach
2008-05-18 20:41 . 2008-05-18 20:41 <DIR> d-------- C:\Program Files\LimeWire
2008-05-18 20:41 . 2008-05-27 18:21 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\LimeWire
2008-05-17 11:38 . 2007-06-28 14:36 401,720 --a------ C:\Big Daddy.exe
2008-05-17 11:37 . 2008-05-17 11:37 <DIR> d-------- C:\_OTMoveIt
2008-05-17 11:35 . 2008-05-17 11:35 61 --a------ C:\Temp\fix.bat
2008-05-17 11:34 . 2008-05-17 11:34 <DIR> d-------- C:\dss
2008-05-15 21:37 . 2008-05-15 21:37 <DIR> d-------- C:\Deckard
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Documents and Settings\Big Daddy\Application Data\Malwarebytes
2008-05-15 21:07 . 2008-05-15 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 21:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-15 21:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-15 20:50 . 2008-05-15 20:50 <DIR> d-------- C:\VundoFix Backups
2008-05-15 20:44 . 2008-05-15 20:44 1,649,976 --a------ C:\Temp\mbam-setup.exe
2008-05-15 20:42 . 2008-05-15 20:42 147,456 --a------ C:\Temp\VundoFix.exe
2008-05-15 20:42 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-15 20:41 . 2008-05-15 20:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-15 20:24 . 2008-05-15 20:24 <DIR> d-------- C:\Documents and Settings\Big Daddy\.SunDownloadManager
2008-05-13 15:50 . 2008-05-15 20:25 <DIR> d-------- C:\Program Files\Google
2008-05-12 21:33 . 2008-05-12 21:33 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Apple Computer
2008-05-12 21:10 . 2008-05-12 21:10 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\Sonic
2008-05-12 21:10 . 2008-05-12 21:10 <DIR> d-------- C:\Documents and Settings\Zachary\Application Data\ATI
2008-05-12 21:09 . 2008-05-27 18:21 <DIR> d-------- C:\Documents and Settings\Zachary
2008-05-12 19:26 . 2008-05-12 19:23 291,840 --a------ C:\Temp\OTMoveIt2.exe
2008-05-12 18:55 . 2008-05-12 19:18 <DIR> d-------- C:\Temp\SmitfraudFix
2008-05-12 18:54 . 2008-05-12 18:54 <DIR> d-------- C:\backups
2008-05-12 18:51 . 2008-05-12 18:46 1,390,255 --a------ C:\Temp\SmitfraudFix.exe
2008-05-12 18:51 . 2008-05-12 18:43 318,369 --a------ C:\Temp\HiJackThis.zip
2008-05-12 09:39 . 2008-05-12 09:39 <DIR> d-------- C:\Documents and Settings\My Mom\Application Data\TmpRecentIcons
2008-05-11 18:18 . 2008-05-11 18:18 <DIR> d-------- C:\Documents and Settings\Big Daddy\Application Data\TmpRecentIcons
2008-05-11 17:24 . 2008-05-11 17:35 <DIR> d-------- C:\Documents and Settings\Zach\Application Data\TmpRecentIcons
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 22:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-27 01:17 --------- d-----w C:\Program Files\Dl_cats
2008-05-16 00:42 --------- d-----w C:\Program Files\Java
2008-05-14 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 03:53 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2008-05-03 23:49 --------- d-----w C:\Documents and Settings\My Mom\Application Data\AdobeUM
2008-04-13 05:04 --------- d-----w C:\Program Files\iTunes
2008-04-13 05:04 --------- d-----w C:\Program Files\iPod
2008-04-13 05:03 --------- d-----w C:\Program Files\QuickTime
2008-04-06 23:38 --------- d-----w C:\Documents and Settings\Addy\Application Data\LimeWire
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-03-19 19:43 374 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb6334.dat
2007-03-19 19:14 18,432 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb41.dat
2007-03-19 19:13 538 ----a-w C:\Documents and Settings\Zach\Application Data\internaldb8467.dat
.
Infected C:\WINDOWS\system32\user32.dll hex repaired
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 04:34 53248 C:\WINDOWS\SOUNDMAN.EXE]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 10:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 20:27 85696]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 09:45 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 18:41 69632]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.MJPG"= jl_mjpg2.drv
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\dlbtcoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\DLBTPSWX.EXE"=
"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Rome - Total War\\RomeTW.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 05:00]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-06-27 13:38]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys []
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 19:57:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-28 22:39:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 18:37:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-05-28 18:41:19 - machine was rebooted [Big Daddy]
ComboFix-quarantined-files.txt 2008-05-28 22:41:16
Pre-Run: 6,219,464,704 bytes free
Post-Run: 6,255,206,400 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
188 --- E O F --- 2008-05-28 20:41:43