Win32/renos.io trojan downloader plz help
Started by
dezerbois
, Jun 11 2009 08:15 PM
#1
Posted 11 June 2009 - 08:15 PM
#2
Posted 11 June 2009 - 09:19 PM
Well i downloaded combo fix and heres the report
ComboFix 09-06-11.06 - admin 11/06/2009 22:55.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1790.1063 [GMT -4:00]
Running from: c:\users\admin\Desktop\Combo-Fix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\MSIVXfrttynacnmupbbbwenwnijdhqrdipxwt.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\MSIVXbefckmkxmiatqgxqklapxfwufgnutnwf.dll
c:\windows\system32\MSIVXbmupxqxveibetcjfohxfodrfestnijci.dll
c:\windows\system32\MSIVXcount
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
D:\Desktop.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_MSIVXserv.sys
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.
2009-06-12 03:15 . 2009-06-12 03:15 -------- d-----w- c:\users\admin\AppData\Local\temp
2009-06-12 03:15 . 2009-06-12 03:15 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-06-11 20:44 . 2009-06-11 20:44 35 ----a-w- c:\users\admin\AppData\Roaming\SetValue.bat
2009-06-11 19:58 . 2009-03-09 19:06 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-11 19:58 . 2009-06-11 19:58 39428 ----a-w- c:\programdata\Lavasoft\Ad-Aware\ThreatWork\Submit\WNASPINT.DLL
2009-06-11 02:12 . 2009-03-09 19:06 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-11 02:10 . 2009-06-11 02:10 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-11 02:10 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-11 02:10 . 2009-06-11 02:12 -------- d-----w- c:\programdata\Lavasoft
2009-06-11 02:10 . 2009-06-11 02:10 -------- d-----w- c:\program files\Lavasoft
2009-06-09 20:25 . 2007-12-26 21:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2009-06-09 20:25 . 2007-12-26 21:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2009-06-09 20:25 . 2009-06-10 08:01 -------- d-----w- c:\program files\Cheat Engine
2009-06-07 06:48 . 2009-06-07 06:48 -------- d-----w- c:\program files\OpenPlsInWMP
2009-06-07 06:42 . 2009-06-07 06:42 -------- d-----w- c:\program files\Xiph.Org
2009-06-04 18:55 . 2009-06-04 18:55 -------- d-----w- C:\CFLog
2009-06-04 18:54 . 2005-01-01 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-06-04 18:54 . 2009-06-04 18:54 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-06-04 18:46 . 2009-06-04 18:46 -------- d-----w- c:\program files\Subagames
2009-06-04 18:38 . 2009-06-04 18:45 -------- d-----w- c:\program files\CrossFire
2009-06-04 18:38 . 2009-06-04 19:24 -------- d-----w- c:\users\admin\AppData\Local\PMB Files
2009-06-04 18:38 . 2009-06-04 18:39 -------- d-----w- c:\programdata\PMB Files
2009-06-04 18:38 . 2009-06-04 18:38 -------- d-----w- c:\program files\Pando Networks
2009-06-02 20:04 . 2009-06-03 04:24 -------- d-----w- c:\users\admin\AppData\Roaming\Ventrilo
2009-06-02 20:02 . 2009-06-02 20:02 -------- d-----w- c:\program files\Ventrilo
2009-06-02 19:59 . 2009-06-02 19:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-29 22:33 . 2009-05-29 22:33 -------- d-----w- c:\programdata\AeriaGames
2009-05-29 21:38 . 2009-05-29 21:38 -------- d-----w- c:\users\admin\AppData\Local\Hewlett-Packard
2009-05-29 21:12 . 2009-05-29 21:12 -------- d-----w- c:\users\admin\AppData\Local\DNA
2009-05-29 21:12 . 2009-06-12 02:53 -------- d-----w- c:\users\admin\AppData\Roaming\DNA
2009-05-29 21:12 . 2009-05-29 21:12 -------- d-----w- c:\users\admin\Program Files
2009-05-21 07:30 . 2009-05-21 07:41 -------- d-----w- c:\users\admin\.smplayer
2009-05-21 06:59 . 2009-05-21 07:00 -------- d-----w- c:\users\Guest\AppData\Local\PokerStars
2009-05-17 14:18 . 2009-05-17 14:20 -------- d-----w- c:\users\Guest\AppData\Local\QuickPlay
2009-05-17 14:18 . 2009-05-17 14:18 75800 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-17 14:18 . 2009-05-17 14:18 -------- d-----w- c:\users\Guest\AppData\Roaming\Symantec
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 02:54 . 2008-07-10 15:55 42047 ----a-w- c:\programdata\nvModes.dat
2009-06-12 02:43 . 2008-06-02 15:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-12 02:40 . 2008-06-02 15:19 -------- d-----w- c:\programdata\Symantec
2009-06-11 20:44 . 2009-06-11 20:44 691 ----a-w- c:\users\admin\AppData\Roaming\GetValue.vbs
2009-06-11 02:23 . 2008-06-02 13:54 672380 ----a-w- c:\windows\system32\perfh00C.dat
2009-06-11 02:23 . 2008-06-02 13:54 127578 ----a-w- c:\windows\system32\perfc00C.dat
2009-06-11 02:13 . 2009-04-25 04:40 7592 ----a-w- c:\users\admin\AppData\Local\d3d9caps.dat
2009-06-07 06:41 . 2008-12-26 00:36 -------- d-----w- c:\users\admin\AppData\Roaming\LimeWire
2009-06-02 19:29 . 2009-05-13 01:15 -------- d-----w- c:\program files\PokerStars
2009-05-29 22:33 . 2008-06-02 15:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-13 10:01 . 2008-10-02 21:47 -------- d-----w- c:\programdata\Microsoft Help
2009-05-13 10:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-13 01:51 . 2009-05-13 01:51 21176 ----a-w- c:\programdata\Citadel Commerce\Payment Assistant\Citadel.Banking.Updater.exe
2009-05-13 01:51 . 2009-05-13 01:51 10416 ----a-w- c:\programdata\Citadel Commerce\Payment Assistant\Citadel.Bank.CA.RoyalBankEFT.dll
2009-05-13 01:51 . 2009-05-13 01:51 48807 ----a-w- c:\programdata\Citadel Commerce\Payment Assistant\uninst.exe
2009-05-13 01:51 . 2009-05-13 01:51 351216 ----a-w- c:\programdata\Citadel Commerce\Payment Assistant\Citadel.Banking.PaymentClient.exe
2009-05-13 01:51 . 2009-05-13 01:51 -------- d-----w- c:\programdata\Citadel Commerce
2009-05-12 18:37 . 2008-07-10 16:03 -------- d-----w- c:\programdata\CyberLink
2009-04-25 17:32 . 2009-04-25 17:32 -------- d-----w- c:\users\admin\AppData\Roaming\GTek
2009-03-17 03:38 . 2009-04-25 04:47 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-25 04:47 24064 ----a-w- c:\windows\system32\amxread.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="c:\users\admin\Program Files\DNA\btdna.exe" [2009-06-10 318272]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-02 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{85BAADBE-15CF-4226-B057-916B14FEB69C}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{620CD8DD-7A68-4FC0-A35B-73114E7DD8BD}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{795057CB-C433-4C9D-B1E7-2DD4EFC75272}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{10B560DE-6505-4D7A-93A9-78026BE6A1FA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F62317B8-F4E2-4B49-8073-77AF2FC82D1C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{26E01536-C195-40FE-861D-F48F17852A8B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{5B209472-6AD5-49BF-B67B-6F26544E49BC}"= TCP:67:DHCP Discovery Service
"{D633F95C-D011-4D3E-A77A-F60462EACA1D}"= UDP:c:\aeriagames\TwelveSky2\Launcher.exe:Launcher
"{12C20EC4-7472-4C37-9D6E-35169D7EC250}"= TCP:c:\aeriagames\TwelveSky2\Launcher.exe:Launcher
"{9A20B77D-E852-474E-98F0-B6181B7938D3}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{21448037-0938-4EDC-8C23-B1589DA27A3F}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{50135DFA-9433-43A3-9107-7895BABF5648}"= UDP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{871E6E94-A3BE-4025-9C1F-702B576CDC3B}"= TCP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{2877D8F3-EA7F-4FA7-9593-B47B6F75E76F}"= UDP:c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
"{0DB0EC9E-95F9-4AFA-BBEA-770AF53B86EE}"= TCP:c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/06/2009 22:12 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 15:06 951632]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [18/04/2008 05:30 204800]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [02/06/2008 13:08 361808]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [03/05/2008 08:39 42528]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [02/06/2008 11:46 193840]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-06-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2008-12-26 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]
2009-06-11 c:\windows\Tasks\User_Feed_Synchronization-{37651776-16B2-4930-9229-57609DC3C30E}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 23:15
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-12 23:16
ComboFix-quarantined-files.txt 2009-06-12 03:16
Pre-Run: 86,677,770,240 bytes free
Post-Run: 87,004,254,208 bytes free
213 --- E O F --- 2009-06-08 22:56
ComboFix 09-06-11.06 - admin 11/06/2009 22:55.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1790.1063 [GMT -4:00]
Running from: c:\users\admin\Desktop\Combo-Fix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\MSIVXfrttynacnmupbbbwenwnijdhqrdipxwt.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\MSIVXbefckmkxmiatqgxqklapxfwufgnutnwf.dll
c:\windows\system32\MSIVXbmupxqxveibetcjfohxfodrfestnijci.dll
c:\windows\system32\MSIVXcount
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
D:\Desktop.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_MSIVXserv.sys
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.
2009-06-12 03:15 . 2009-06-12 03:15 -------- d-----w- c:\users\admin\AppData\Local\temp
2009-06-12 03:15 . 2009-06-12 03:15 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-06-11 20:44 . 2009-06-11 20:44 35 ----a-w- c:\users\admin\AppData\Roaming\SetValue.bat
2009-06-11 19:58 . 2009-03-09 19:06 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-11 19:58 . 2009-06-11 19:58 39428 ----a-w- c:\programdata\Lavasoft\Ad-Aware\ThreatWork\Submit\WNASPINT.DLL
2009-06-11 02:12 . 2009-03-09 19:06 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-11 02:10 . 2009-06-11 02:10 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-11 02:10 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-11 02:10 . 2009-06-11 02:12 -------- d-----w- c:\programdata\Lavasoft
2009-06-11 02:10 . 2009-06-11 02:10 -------- d-----w- c:\program files\Lavasoft
2009-06-09 20:25 . 2007-12-26 21:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll
2009-06-09 20:25 . 2007-12-26 21:30 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2009-06-09 20:25 . 2009-06-10 08:01 -------- d-----w- c:\program files\Cheat Engine
2009-06-07 06:48 . 2009-06-07 06:48 -------- d-----w- c:\program files\OpenPlsInWMP
2009-06-07 06:42 . 2009-06-07 06:42 -------- d-----w- c:\program files\Xiph.Org
2009-06-04 18:55 . 2009-06-04 18:55 -------- d-----w- C:\CFLog
2009-06-04 18:54 . 2005-01-01 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-06-04 18:54 . 2009-06-04 18:54 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-06-04 18:46 . 2009-06-04 18:46 -------- d-----w- c:\program files\Subagames
2009-06-04 18:38 . 2009-06-04 18:45 -------- d-----w- c:\program files\CrossFire
2009-06-04 18:38 . 2009-06-04 19:24 -------- d-----w- c:\users\admin\AppData\Local\PMB Files
2009-06-04 18:38 . 2009-06-04 18:39 -------- d-----w- c:\programdata\PMB Files
2009-06-04 18:38 . 2009-06-04 18:38 -------- d-----w- c:\program files\Pando Networks
2009-06-02 20:04 . 2009-06-03 04:24 -------- d-----w- c:\users\admin\AppData\Roaming\Ventrilo
2009-06-02 20:02 . 2009-06-02 20:02 -------- d-----w- c:\program files\Ventrilo
2009-06-02 19:59 . 2009-06-02 19:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-29 22:33 . 2009-05-29 22:33 -------- d-----w- c:\programdata\AeriaGames
2009-05-29 21:38 . 2009-05-29 21:38 -------- d-----w- c:\users\admin\AppData\Local\Hewlett-Packard
2009-05-29 21:12 . 2009-05-29 21:12 -------- d-----w- c:\users\admin\AppData\Local\DNA
2009-05-29 21:12 . 2009-06-12 02:53 -------- d-----w- c:\users\admin\AppData\Roaming\DNA
2009-05-29 21:12 . 2009-05-29 21:12 -------- d-----w- c:\users\admin\Program Files
2009-05-21 07:30 . 2009-05-21 07:41 -------- d-----w- c:\users\admin\.smplayer
2009-05-21 06:59 . 2009-05-21 07:00 -------- d-----w- c:\users\Guest\AppData\Local\PokerStars
2009-05-17 14:18 . 2009-05-17 14:20 -------- d-----w- c:\users\Guest\AppData\Local\QuickPlay
2009-05-17 14:18 . 2009-05-17 14:18 75800 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-17 14:18 . 2009-05-17 14:18 -------- d-----w- c:\users\Guest\AppData\Roaming\Symantec
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 02:54 . 2008-07-10 15:55 42047 ----a-w- c:\programdata\nvModes.dat
2009-06-12 02:43 . 2008-06-02 15:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-12 02:40 . 2008-06-02 15:19 -------- d-----w- c:\programdata\Symantec
2009-06-11 20:44 . 2009-06-11 20:44 691 ----a-w- c:\users\admin\AppData\Roaming\GetValue.vbs
2009-06-11 02:23 . 2008-06-02 13:54 672380 ----a-w- c:\windows\system32\perfh00C.dat
2009-06-11 02:23 . 2008-06-02 13:54 127578 ----a-w- c:\windows\system32\perfc00C.dat
2009-06-11 02:13 . 2009-04-25 04:40 7592 ----a-w- c:\users\admin\AppData\Local\d3d9caps.dat
2009-06-07 06:41 . 2008-12-26 00:36 -------- d-----w- c:\users\admin\AppData\Roaming\LimeWire
2009-06-02 19:29 . 2009-05-13 01:15 -------- d-----w- c:\program files\PokerStars
2009-05-29 22:33 . 2008-06-02 15:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-13 10:01 . 2008-10-02 21:47 -------- d-----w- c:\programdata\Microsoft Help
2009-05-13 10:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-13 01:51 . 2009-05-13 01:51 21176 ----a-w- c:\programdata\Citadel Commerce\Payment Assistant\Citadel.Banking.Updater.exe
2009-05-13 01:51 . 2009-05-13 01:51 10416 ----a-w- c:\programdata\Citadel Commerce\Payment Assistant\Citadel.Bank.CA.RoyalBankEFT.dll
2009-05-13 01:51 . 2009-05-13 01:51 48807 ----a-w- c:\programdata\Citadel Commerce\Payment Assistant\uninst.exe
2009-05-13 01:51 . 2009-05-13 01:51 351216 ----a-w- c:\programdata\Citadel Commerce\Payment Assistant\Citadel.Banking.PaymentClient.exe
2009-05-13 01:51 . 2009-05-13 01:51 -------- d-----w- c:\programdata\Citadel Commerce
2009-05-12 18:37 . 2008-07-10 16:03 -------- d-----w- c:\programdata\CyberLink
2009-04-25 17:32 . 2009-04-25 17:32 -------- d-----w- c:\users\admin\AppData\Roaming\GTek
2009-03-17 03:38 . 2009-04-25 04:47 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-25 04:47 24064 ----a-w- c:\windows\system32\amxread.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="c:\users\admin\Program Files\DNA\btdna.exe" [2009-06-10 318272]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-04-02 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{85BAADBE-15CF-4226-B057-916B14FEB69C}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{620CD8DD-7A68-4FC0-A35B-73114E7DD8BD}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{795057CB-C433-4C9D-B1E7-2DD4EFC75272}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{10B560DE-6505-4D7A-93A9-78026BE6A1FA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F62317B8-F4E2-4B49-8073-77AF2FC82D1C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{26E01536-C195-40FE-861D-F48F17852A8B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{5B209472-6AD5-49BF-B67B-6F26544E49BC}"= TCP:67:DHCP Discovery Service
"{D633F95C-D011-4D3E-A77A-F60462EACA1D}"= UDP:c:\aeriagames\TwelveSky2\Launcher.exe:Launcher
"{12C20EC4-7472-4C37-9D6E-35169D7EC250}"= TCP:c:\aeriagames\TwelveSky2\Launcher.exe:Launcher
"{9A20B77D-E852-474E-98F0-B6181B7938D3}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{21448037-0938-4EDC-8C23-B1589DA27A3F}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{50135DFA-9433-43A3-9107-7895BABF5648}"= UDP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{871E6E94-A3BE-4025-9C1F-702B576CDC3B}"= TCP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{2877D8F3-EA7F-4FA7-9593-B47B6F75E76F}"= UDP:c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
"{0DB0EC9E-95F9-4AFA-BBEA-770AF53B86EE}"= TCP:c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/06/2009 22:12 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 15:06 951632]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [18/04/2008 05:30 204800]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [02/06/2008 13:08 361808]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [03/05/2008 08:39 42528]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [02/06/2008 11:46 193840]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-06-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2008-12-26 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]
2009-06-11 c:\windows\Tasks\User_Feed_Synchronization-{37651776-16B2-4930-9229-57609DC3C30E}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 23:15
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-12 23:16
ComboFix-quarantined-files.txt 2009-06-12 03:16
Pre-Run: 86,677,770,240 bytes free
Post-Run: 87,004,254,208 bytes free
213 --- E O F --- 2009-06-08 22:56
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users