CombofixComboFix 08-05-21.2 - Owner 2008-05-23 13:11:07.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::
C:\DMKeygen_packed.exe
C:\WINDOWS\system32\emptyregdb.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DMKeygen_packed.exe
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\accounts.xml
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\twhirl.log
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\update.air
C:\WINDOWS\system32\emptyregdb.dat
C:\WINDOWS\VistaDrive
C:\WINDOWS\VistaDrive\
0.ico
C:\WINDOWS\VistaDrive\100.ico
C:\WINDOWS\VistaDrive\16.ico
C:\WINDOWS\VistaDrive\17.ico
C:\WINDOWS\VistaDrive\25.ico
C:\WINDOWS\VistaDrive\33.ico
C:\WINDOWS\VistaDrive\41.ico
C:\WINDOWS\VistaDrive\42.ico
C:\WINDOWS\VistaDrive\50.ico
C:\WINDOWS\VistaDrive\58.ico
C:\WINDOWS\VistaDrive\67.ico
C:\WINDOWS\VistaDrive\75.ico
C:\WINDOWS\VistaDrive\8.ico
C:\WINDOWS\VistaDrive\83.ico
C:\WINDOWS\VistaDrive\92.ico
C:\WINDOWS\VistaDrive\99.ico
C:\WINDOWS\VistaDrive\s100.ico
C:\WINDOWS\VistaDrive\s16.ico
C:\WINDOWS\VistaDrive\s17.ico
C:\WINDOWS\VistaDrive\s25.ico
C:\WINDOWS\VistaDrive\s33.ico
C:\WINDOWS\VistaDrive\s41.ico
C:\WINDOWS\VistaDrive\s42.ico
C:\WINDOWS\VistaDrive\s50.ico
C:\WINDOWS\VistaDrive\s58.ico
C:\WINDOWS\VistaDrive\s67.ico
C:\WINDOWS\VistaDrive\s75.ico
C:\WINDOWS\VistaDrive\s8.ico
C:\WINDOWS\VistaDrive\s83.ico
C:\WINDOWS\VistaDrive\s92.ico
C:\WINDOWS\VistaDrive\s99.ico
C:\WINDOWS\VistaDrive\vistadrive.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\restore
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\srchasst
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-22 08:19 . 2008-05-22 08:19 <DIR> d-------- C:\Deckard
2008-05-21 21:58 . 2008-05-21 20:24 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk003.MTX
2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-05-21 18:36 . 2008-05-21 18:38 <DIR> d-------- C:\Program Files\Panda Security
2008-05-21 18:36 . 2008-05-21 18:36 1,829 --a------ C:\WINDOWS\mozver.dat
2008-05-21 17:38 . 2008-05-21 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 17:37 . 2008-05-21 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-21 17:21 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-21 17:21 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-21 17:20 . 2008-05-21 17:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-21 17:04 . 2008-05-21 17:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 21:40 . 2008-05-20 21:41 588,948 --a------ C:\WINDOWS\Tec21.jpg
2008-05-19 23:58 . 2007-03-07 19:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-05-19 23:58 . 2007-03-07 19:51 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-19 23:58 . 2007-03-07 19:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-19 23:58 . 2007-03-07 19:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-11 23:25 . 2008-05-11 23:25 18,088 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-09 11:25 . 2008-05-09 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-09 11:11 . 2008-05-09 11:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-09 11:05 . 2008-05-21 21:53 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-09 06:47 . 2008-05-19 22:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-05-09 06:46 . 2008-05-09 06:46 <DIR> d-------- C:\Program Files\VSO
2008-05-09 05:10 . 2008-05-09 05:10 <DIR> d-------- C:\Program Files\twhirl
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\CoreFTP
2008-04-24 21:40 . 2008-04-24 21:40 <DIR> d-------- C:\Documents and Settings\Guest\C
2008-04-23 22:15 . 2008-04-23 22:15 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Yahoo!
2008-04-23 17:14 . 2004-04-19 17:53 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 17:29 275,744 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-23 17:29 22,484 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-23 17:29 164,192 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-23 17:29 11,972,384 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-23 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-22 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP
2008-05-22 02:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 02:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-21 00:17 --------- d--h--r C:\Documents and Settings\Owner\Application Data\yahoo!
2008-05-21 00:16 --------- d-----w C:\Program Files\Yahoo!
2008-05-21 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-20 02:36 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-04-20 02:36 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-18 03:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-04-17 18:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-17 18:03 --------- d-----w C:\Program Files\Foxit
2008-04-17 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 08:03 --------- d-----w C:\Program Files\Java
2008-04-17 07:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-17 07:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-17 07:21 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-17 07:16 --------- d-----w C:\Program Files\VIA
2008-04-17 06:52 --------- d-----w C:\Program Files\Driver Magician
2008-04-17 06:49 --------- d-----w C:\Program Files\Common Files\Java
.
------- Sigcheck -------
2007-05-03 07:37 360704 a11391be25035570ae4b8970920f2c74 C:\WINDOWS\system32\drivers\tcpip.sys
2007-05-02 01:13 1422336 d66456c66d07a423f2e48c2526ae260c C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-22_ 9.09.58.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 06:49:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 17:30:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 02:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-21 18:29 1510640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 19:22 577536 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-21 18:29 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-21 18:29 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d186-109f-11dd-9741-0016ec22ecdc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe
\Shell\Explore\Command - Desktop.exe
\Shell\Open\Command - Desktop.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-23 13:31:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-23 13:41:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 17:40:31
ComboFix2.txt 2008-05-22 13:12:12
Pre-Run: 5,833,953,280 bytes free
Post-Run: 5,871,206,400 bytes free
188
HijackthisLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:53 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.c...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.c...//www.yahoo.comO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 4099 bytes