ComboFix Log:
ComboFix 09-02-11.02 - Main 2009-02-11 18:23:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2199 [GMT -5:00]
Running from: c:\documents and settings\Main\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\gaopdxqbabdwii.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxmxdoylyu.dll
F:\Autorun.inf
f:\recycler\S-1-3-23-100022141-100021716-100004715-3255.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gaopdxserv.sys
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.
2009-02-10 16:55 . 2009-02-10 16:55 <DIR> d-------- c:\program files\Trend Micro
2009-02-09 20:38 . 2009-02-09 20:39 <DIR> d-------- c:\program files\ERUNT
2009-02-06 22:12 . 2009-02-06 22:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 22:12 . 2009-02-06 22:12 <DIR> d-------- c:\documents and settings\Main\Application Data\Malwarebytes
2009-02-06 22:12 . 2009-02-06 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-06 22:12 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-06 22:12 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-28 18:56 . 2009-02-10 20:28 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-28 18:36 . 2009-01-28 18:36 <DIR> d-------- c:\program files\Wizards of the Coast
2009-01-24 16:09 . 2009-01-24 16:09 <DIR> d-------- c:\program files\iTunes
2009-01-24 16:09 . 2009-01-24 16:09 <DIR> d-------- c:\program files\iPod
2009-01-24 16:09 . 2009-01-24 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 16:09 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-24 16:09 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-22 21:08 . 2009-01-24 16:09 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-22 21:08 . 2009-01-22 21:08 <DIR> d-------- c:\program files\QuickTime
2009-01-22 21:08 . 2009-01-24 16:09 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-22 21:08 . 2009-01-22 21:08 <DIR> d-------- c:\program files\Apple Software Update
2009-01-22 21:08 . 2009-01-22 21:08 <DIR> d-------- c:\documents and settings\Main\Application Data\Apple Computer
2009-01-22 21:08 . 2009-01-22 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-22 21:08 . 2009-01-22 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-22 21:08 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-01-11 18:50 . 2009-02-08 20:15 <DIR> d-------- c:\documents and settings\Main\Application Data\Move Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 23:22 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-11 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-10 23:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-10 23:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-10 23:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-08 21:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-07 15:14 --------- d-----w c:\program files\SlySoft
2009-02-07 15:13 --------- d-----w c:\program files\RivaTuner v2.09
2009-02-07 14:37 --------- d-----w c:\documents and settings\Main\Application Data\Symantec
2009-02-07 14:33 --------- d-----w c:\program files\SpywareBlaster
2009-02-06 20:56 --------- d-----w c:\program files\Norton SystemWorks
2009-02-05 01:03 --------- d-----w c:\documents and settings\Main\Application Data\BitTorrent
2009-01-25 03:56 --------- d-----w c:\documents and settings\Main\Application Data\Winamp
2009-01-17 01:52 --------- d-----w c:\program files\Google
2009-01-15 03:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-06 04:51 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 04:51 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-06 04:51 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 04:51 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 04:51 --------- d-----w c:\program files\Symantec
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 16:44 410,984 ----a-w c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-14 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-01-25 196128]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NSWosCheck"="c:\program files\Norton SystemWorks\osCheck.exe" [2007-09-18 25472]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="c:\documents and settings\Main\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" [2007-08-26 687976]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-06-14 221247]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoStartMenuEjectPC"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-25 149352]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~2\NORTON~1\NPROTECT.EXE [2005-11-03 95832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-02 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2009-02-07 c:\windows\Tasks\Norton Internet Security - k - Main.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
2009-02-08 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Main.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
2009-01-20 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2007-09-18 07:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: %SYSTEMROOT%\system32\nvLsp.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-02-11 18:25:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1028)
c:\windows\system32\nvLsp.dll
.
Completion time: 2009-02-11 18:26:28
ComboFix-quarantined-files.txt 2009-02-11 23:26:26
Pre-Run: 445,998,825,472 bytes free
Post-Run: 445,992,951,808 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
171 --- E O F --- 2009-01-15 03:16:38