here is my latest Combofix log:
ComboFix 09-01-19.03 - hawaian_fridays 2009-01-20 6:22:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1656 [GMT 8:00]
Running from: c:\documents and settings\hawaian_fridays\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\hawaian_fridays\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.
2009-01-20 06:19 . 2009-01-20 06:19 <DIR> d--hs---- c:\documents and settings\hawaian_fridays\UserData
2009-01-20 05:34 . 2009-01-20 05:34 <DIR> d-------- C:\Deckard
2009-01-20 05:28 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-18 10:32 . 2009-01-18 10:32 <DIR> d-------- c:\program files\TOM Online Inc
2009-01-17 23:59 . 2009-01-17 23:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-15 09:59 . 2009-01-15 09:59 <DIR> d-------- c:\program files\sohutv_web
2009-01-11 18:58 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-06 02:35 . 2009-01-06 02:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\File dvd base road
2008-12-27 02:45 . 2008-12-27 02:45 <DIR> d-------- C:\Downloads
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 17:23 --------- d-----w c:\program files\Garena
2009-01-15 17:22 --------- d-----w c:\program files\Warcraft III
2009-01-12 02:09 --------- d-----w c:\documents and settings\hawaian_fridays\Application Data\uTorrent
2009-01-11 10:56 --------- d-----w c:\program files\Panda Security
2009-01-02 17:51 --------- d-----w c:\documents and settings\hawaian_fridays\Application Data\LimeWire
2008-12-15 01:18 --------- d-----w c:\documents and settings\hawaian_fridays\Application Data\Ventrilo
2008-12-15 01:05 --------- d-----w c:\program files\Ventrilo
2008-12-15 01:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-14 05:24 --------- d-----w c:\program files\Electronic Arts
2008-12-11 22:08 --------- d-----w c:\documents and settings\hawaian_fridays\Application Data\AVGTOOLBAR
2008-12-11 21:21 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-11 21:21 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-11 21:21 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-12-11 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-12-11 19:37 7,218 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-12-11 19:37 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 19:36 --------- d-----w c:\program files\Yahoo!
2008-12-11 19:36 --------- d-----w c:\documents and settings\hawaian_fridays\Application Data\Yahoo!
2008-12-11 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-11 18:01 --------- d-----w c:\documents and settings\hawaian_fridays\Application Data\SUPERAntiSpyware.com
2008-12-11 16:03 --------- d-----w c:\program files\Web Publish
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-04 15:34 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-04 06:27 --------- d-----w c:\program files\FREE Hi-Q Recorder
2008-12-03 14:23 --------- d-----w c:\documents and settings\hawaian_fridays\Application Data\Xilisoft Corporation
2008-12-03 14:22 --------- d-----w c:\program files\Xilisoft
2008-12-03 08:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 06:56 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-12-01 16:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-01 16:06 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2008-12-01 16:06 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2008-12-01 15:26 --------- d-----w c:\program files\The Print Shop 20
2008-12-01 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\Riverdeep Interactive Learning Limited
2008-12-01 15:08 --------- d-----w c:\program files\Common Files\Broderbund
2008-12-01 15:08 --------- d-----w c:\documents and settings\All Users\Application Data\Broderbund Software
2008-11-24 11:28 --------- d-----w c:\program files\Virtual Villagers The Secret City
2008-11-23 11:16 --------- d-----w c:\program files\Bethesda Softworks
2008-11-23 04:37 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-19 15:21 --------- d-----w c:\documents and settings\hawaian_fridays\Application Data\Leadertech
2008-10-27 02:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 02:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 02:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 02:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-19 21:02 52,736 ----a-w c:\windows\ipuninst.exe
2008-07-01 01:49 22,328 ----a-w c:\documents and settings\hawaian_fridays\Application Data\PnkBstrK.sys
2008-04-13 21:41 164,457 --sha-r c:\windows\system32\ntmwlbrq.dll
.
((((((((((((((((((((((((((((( [email protected]_ 5.22.34.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-19 21:05:19 71,584 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-19 21:59:42 71,584 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-19 21:05:19 442,092 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-19 21:59:42 442,092 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"d:\\Installerz\\Gamez\\Dead.Space.Multi-5.Repack.Skullptura\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"58440:TCP"= 58440:TCP:Pando Media Booster
"58440:UDP"= 58440:UDP:Pando Media Booster
"9351:TCP"= 9351:TCP:BitComet 9351 TCP
"9351:UDP"= 9351:UDP:BitComet 9351 UDP
"2056:TCP"= 2056:TCP:zsficloo
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-11 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-12 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-12 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-12 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-12 76040]
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]
S4 myulqa;vrhfkfq;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
myulqa
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{206db441-912b-11dd-99ad-0019667055ad}]
\Shell\AutoRun\command - G:\qa8sywva.cmd
\Shell\explore\Command - G:\qa8sywva.cmd
\Shell\open\Command - G:\qa8sywva.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{36f56392-8c77-11dd-999f-0019667055ad}]
\Shell\Auto\command - H:\Recycled/dllcache32.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - H:\Recycled/dllcache32.exe
\Shell\open\Command - H:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{eb2060d7-4732-11dd-98ae-0019667055ad}]
\Shell\AutoRun\command - explorer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-01-19 c:\windows\Tasks\B46E1978942995A4.job
- c:\docume~1\hawaia~1\applic~1\bodysp~1\Soap Platform Ooze.exe []
2009-01-19 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe []
2009-01-18 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
FF - ProfilePath - c:\documents and settings\hawaian_fridays\Application Data\Mozilla\Firefox\Profiles\nndvjwpg.default\
FF - plugin: c:\documents and settings\hawaian_fridays\Application Data\Mozilla\Firefox\Profiles\nndvjwpg.default\extensions\[email protected]\p lugins\nptcast40.dll
FF - plugin: c:\program files\TOM Online Inc\TOM Live Player\nptcast30.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 06:23:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\myulqa]
"ServiceDll"="c:\windows\system32\ntmwlbrq.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1202660629-1004336348-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1f,84,dd,f3,b2,95,f4,ff,48,6e,82,20,66,70,20,45,38,07,65,f4,46,86, 6f,
11,ad,59,b1,aa,01,eb,52,ef,87,b8,67,d4,e6,22,cb,6c,5e,6e,8a,05,38,ca,e1,7e, \
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
[HKEY_USERS\S-1-5-21-1202660629-1004336348-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:3f,2b,15,df,37,24,fb,8b,f5,75,25,40,24,28,f2,26,f7,73,d6,ba, ec,
a7,5b,01,74,e4,c5,16,71,3c,af,9c,72,19,18,d4,9d,ec,b0,1f,a1,e0,28,2f,95,a8, \
"rkeysecu"=hex:65,63,e6,16,cc,8a,a0,9b,62,96,4b,6b,c1,50,de,b1
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,b4,a7,65,9c, c7,
ea,fa,6a,c8,28,51,af,b0,29,a3,98,60,54,39,41,c9,6d,e5,43,e2,63,26,f1,3f,c8, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,5c,ce,dd,e7, 55,
5a,2c,6f,71,3b,04,66,8b,46,0d,96,b4,e8,d1,03,e4,fd,46,f7,6a,9c,d6,61,af,45, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,df,4b,2e,5d, 5e,
be,bf,e9,25,da,ec,7e,55,20,c9,26,20,13,da,97,a6,0c,50,65,ff,7c,85,e0,43,d4, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,72,12,ac,c4, 28,
2d,2f,26,3e,1e,9e,e0,57,5a,93,61,40,47,49,d3,32,0f,e1,5f,86,8c,21,01,be,91, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,5a,25,0e,93, 5d,
09,0c,d9,cd,44,cd,b9,a6,33,6c,cd,2e,9a,39,9e,fc,a1,f6,ed,f5,1d,4d,73,a8,13, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,07,cb,d6,5c, 13,
8f,fb,70,b0,18,ed,a7,3f,8d,37,a4,8a,86,ff,3b,f7,83,10,6d,df,20,58,62,78,6b, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,32,ca,1c,8c, cc,
a3,f9,2d,31,77,e1,ba,b1,f8,68,02,b0,58,c5,dc,e3,e0,f0,51,fb,a7,78,e6,12,2f, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,ba,05,7a,ba, 6f,
1f,83,34,83,6c,56,8b,a0,85,96,ab,21,c0,1a,ef,81,83,30,69,01,3a,48,fc,e8,04, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,67,66,95,63, 16,
7d,ec,42,51,fa,6e,91,28,9e,14,cc,5f,27,3a,a2,90,e3,3b,f7,f6,0f,4e,58,98,5b, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,5c,22,fe,6c, 1e,
3d,32,44,b1,cd,45,5a,a8,c4,f8,b9,49,2f,b5,3f,94,50,1f,83,3d,ce,ea,26,2d,45, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,e9,31,2c,2c, 3a,
87,84,3a,e3,0e,66,d5,eb,bc,2f,6b,cf,c4,0e,94,62,0d,b2,73,2a,b7,cc,b5,b9,7f, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3c,be,a4,d1, f2,
d1,82,50,fa,ea,66,7f,d4,3b,6b,70,3e,40,ae,7e,16,8e,d7,2a,6c,43,2d,1e,aa,22, \
.
Completion time: 2009-01-20 6:24:40
ComboFix-quarantined-files.txt 2009-01-19 22:24:38
ComboFix2.txt 2009-01-19 22:09:02
ComboFix3.txt 2009-01-19 21:48:34
ComboFix4.txt 2009-01-19 21:23:08
Pre-Run: 18,734,268,416 bytes free
Post-Run: 18,726,137,856 bytes free
246 --- E O F --- 2009-01-14 08:52:16
Sign In
Create Account
