ComboFix 08-12-20.03 - Andrew 2008-12-20 23:16:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1564 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Andrew\Local Settings\Temporary Internet Files\fbk.sts
C:\install.exe
c:\program files\INSTALL.LOG
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\tn3
c:\windows\system32\aheyuhip.ini
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\timikeze.dll
c:\windows\system32\wpcap.dll
----- BITS: Possible infected sites -----
hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.
2008-12-20 01:06 . 2008-12-20 01:06 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 19:34 . 2008-12-19 19:34 <DIR> d-------- c:\documents and settings\Administrator.ANDREW-4C8A5F4E\Application Data\Malwarebytes
2008-12-19 19:34 . 2008-12-19 19:34 <DIR> d-------- c:\documents and settings\Administrator.ANDREW-4C8A5F4E
2008-12-19 18:46 . 2008-12-20 01:04 <DIR> d-------- c:\program files\Spyware Terminator
2008-12-19 18:35 . 2008-12-19 18:44 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-19 18:22 . 2008-12-19 18:35 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-19 16:02 . 2007-11-04 19:30 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-19 02:39 . 2008-12-19 02:39 <DIR> d---s---- c:\windows\Downloaded Program Files
2008-12-18 14:25 . 2008-12-18 14:25 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-18 14:25 . 2008-12-18 14:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2008-12-12 01:39 . 2008-12-12 01:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 01:39 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 01:39 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 01:04 . 2008-12-20 02:59 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-12 00:45 . 2008-12-12 00:45 <DIR> d-------- c:\program files\Trend Micro
2008-12-12 00:30 . 2008-12-12 00:57 <DIR> d---s---- c:\documents and settings\Administrator
2008-12-10 19:57 . 2008-12-13 04:42 <DIR> d-------- c:\program files\Varnex
2008-11-26 18:32 . 2008-11-26 18:32 <DIR> d-------- c:\documents and settings\Andrew\Application Data\GlobalSCAPE
2008-11-26 18:32 . 2008-11-26 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2008-11-26 18:29 . 2008-11-26 18:29 <DIR> d-------- c:\documents and settings\Andrew\Application Data\SmartFTP
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\scripting
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\en
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\system32\bits
2008-11-23 18:14 . 2008-11-23 18:14 <DIR> d-------- c:\windows\l2schemas
2008-11-23 18:13 . 2008-11-23 18:13 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-23 18:09 . 2008-11-23 18:09 <DIR> d-------- c:\windows\EHome
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 01:44 --------- d-----w c:\program files\Steam
2008-12-20 03:06 --------- d-----w c:\program files\fraps
2008-12-20 02:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 22:25 --------- d-----w c:\program files\Java
2008-12-16 03:34 --------- d-----w c:\program files\World of Warcraft
2008-12-15 06:45 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-14 07:25 --------- d-----w c:\program files\Digsby
2008-12-13 07:35 --------- d-----w c:\documents and settings\Andrew\Application Data\BitTorrent
2008-12-13 07:28 --------- d-----w c:\program files\Electronic Arts
2008-12-02 05:15 --------- d-----w c:\documents and settings\Andrew\Application Data\IGN_DLM
2008-12-02 00:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 23:52 22,328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2008-11-29 01:37 --------- d-----w c:\program files\mymedia
2008-11-19 10:58 --------- d-----w c:\program files\Activision
2008-11-16 11:11 --------- d-----w c:\program files\Ventrilo
2008-11-16 11:11 --------- d-----w c:\documents and settings\Andrew\Application Data\Ventrilo
2008-11-16 11:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:54 --------- d-----w c:\program files\Warcraft III
2008-11-12 22:49 --------- d-----w c:\documents and settings\Andrew\Application Data\Digsby
2008-11-12 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby
2008-11-08 09:26 --------- d-----w c:\program files\MSBuild
2008-11-08 09:25 --------- d-----w c:\program files\Reference Assemblies
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2003-12-18 18:33 20,102 ----a-w c:\program files\Readme.txt
2003-09-03 14:46 10,960 ----a-w c:\program files\EULA.txt
2008-09-19 04:00 64,223 --sha-w c:\windows\system32\wimavogu.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"VIDC.XFR1"= xfcodec.dll
"vidc.VSPX"= vspxvfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-20 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-20 20560]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-22 450400]
S3 idrmkl;idrmkl;\??\c:\docume~1\Andrew\LOCALS~1\Temp\idrmkl.sys []
S3 MaplomL;MaplomL; []
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []
S3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - d:\directx\dxsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6598ada8-b8b6-11db-8204-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6fd3feb-b8e8-11db-b832-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\l8tjmc7r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-20 23:19:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-12-20 23:23:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 07:23:47
Pre-Run: 102,967,730,176 bytes free
Post-Run: 106,942,820,352 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
180 --- E O F --- 2008-12-20 10:59:34