Edited by rjhorn, 26 September 2009 - 01:21 PM.
can't access internet and system infected?
Started by
rjhorn
, Sep 26 2009 01:19 PM
#1
Posted 26 September 2009 - 01:19 PM
#2
Posted 26 September 2009 - 01:43 PM
I should also add that I was getting browser redirects before this but was able to fix using other tools...but a little while after doing this I lost the connection...I am also getting errors that read pev.exe and pev.cfxxe errors
#3
Posted 26 September 2009 - 02:12 PM
ComboFix 09-09-25.01 - Nancy 09/26/2009 14:31.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.239 [GMT -5:00]
Running from: c:\documents and settings\Nancy\Desktop\kahdah.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Nancy\Favorites\games.url
c:\windows\Installer\70146.msp
c:\windows\system32\_004216_.tmp.dll
c:\windows\system32\_004217_.tmp.dll
c:\windows\system32\_004218_.tmp.dll
c:\windows\system32\_004219_.tmp.dll
c:\windows\system32\_004226_.tmp.dll
c:\windows\system32\_004227_.tmp.dll
c:\windows\system32\_004228_.tmp.dll
c:\windows\system32\_004230_.tmp.dll
c:\windows\system32\_004231_.tmp.dll
c:\windows\system32\_004234_.tmp.dll
c:\windows\system32\_004235_.tmp.dll
c:\windows\system32\_004237_.tmp.dll
c:\windows\system32\_004238_.tmp.dll
c:\windows\system32\_004239_.tmp.dll
c:\windows\system32\_004241_.tmp.dll
c:\windows\system32\_004244_.tmp.dll
c:\windows\system32\_004245_.tmp.dll
c:\windows\system32\_004249_.tmp.dll
c:\windows\system32\_004250_.tmp.dll
c:\windows\system32\_004252_.tmp.dll
c:\windows\system32\_004255_.tmp.dll
c:\windows\system32\_004258_.tmp.dll
c:\windows\system32\_004259_.tmp.dll
c:\windows\system32\_004260_.tmp.dll
c:\windows\system32\_004261_.tmp.dll
c:\windows\system32\_004264_.tmp.dll
c:\windows\system32\_004265_.tmp.dll
c:\windows\system32\_004266_.tmp.dll
c:\windows\system32\_004267_.tmp.dll
c:\windows\system32\_004268_.tmp.dll
c:\windows\system32\_004273_.tmp.dll
c:\windows\system32\_004275_.tmp.dll
c:\windows\system32\_004276_.tmp.dll
c:\windows\system32\_006404_.tmp.dll
c:\windows\system32\_006405_.tmp.dll
c:\windows\system32\_006406_.tmp.dll
c:\windows\system32\_006407_.tmp.dll
c:\windows\system32\_006414_.tmp.dll
c:\windows\system32\_006415_.tmp.dll
c:\windows\system32\_006416_.tmp.dll
c:\windows\system32\_006417_.tmp.dll
c:\windows\system32\_006419_.tmp.dll
c:\windows\system32\_006420_.tmp.dll
c:\windows\system32\_006423_.tmp.dll
c:\windows\system32\_006424_.tmp.dll
c:\windows\system32\_006426_.tmp.dll
c:\windows\system32\_006427_.tmp.dll
c:\windows\system32\_006428_.tmp.dll
c:\windows\system32\_006430_.tmp.dll
c:\windows\system32\_006431_.tmp.dll
c:\windows\system32\_006433_.tmp.dll
c:\windows\system32\_006434_.tmp.dll
c:\windows\system32\_006438_.tmp.dll
c:\windows\system32\_006439_.tmp.dll
c:\windows\system32\_006441_.tmp.dll
c:\windows\system32\_006444_.tmp.dll
c:\windows\system32\_006447_.tmp.dll
c:\windows\system32\_006448_.tmp.dll
c:\windows\system32\_006449_.tmp.dll
c:\windows\system32\_006450_.tmp.dll
c:\windows\system32\_006451_.tmp.dll
c:\windows\system32\_006454_.tmp.dll
c:\windows\system32\_006455_.tmp.dll
c:\windows\system32\_006456_.tmp.dll
c:\windows\system32\_006457_.tmp.dll
c:\windows\system32\_006458_.tmp.dll
c:\windows\system32\_006463_.tmp.dll
c:\windows\system32\_006465_.tmp.dll
c:\windows\system32\_006466_.tmp.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FAD
-------\Legacy_MSDIRECTX
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_RDRIV
-------\Legacy_WINDOWS_CONFIGURATION_LOADER
-------\Service_Windows Configuration Loader
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.
2009-09-26 19:39 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-26 19:39 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-19 02:16 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-19 02:15 . 2009-09-19 02:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-19 02:14 . 2009-09-19 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-16 12:08 . 2009-09-16 12:08 139264 ----a-w- c:\windows\system32\csrss8.dll
2009-08-28 16:05 . 2009-09-17 11:05 -------- d-----w- c:\documents and settings\Nancy\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 14:33 . 2004-04-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-25 16:40 . 2004-04-21 00:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 02:14 . 2004-08-03 01:08 -------- d-----w- c:\program files\Lavasoft
2009-09-17 13:17 . 2009-05-08 23:24 -------- d-----w- c:\program files\Google
2009-09-17 12:54 . 2005-10-22 16:44 -------- d-----w- c:\program files\Yahoo!
2009-09-15 13:21 . 2003-06-15 15:06 90640 -c--a-w- c:\documents and settings\Nancy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 00:54 . 2008-09-11 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 19:54 . 2008-09-11 01:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-09-11 01:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 00:48 . 2005-06-02 01:48 -------- d-----w- c:\program files\Picasa2
2009-08-25 22:13 . 2009-07-18 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lexmark 5600-6600 Series
2009-08-09 08:15 . 2009-08-09 08:15 -------- d-----w- c:\program files\MSBuild
2009-08-09 08:15 . 2009-08-09 08:15 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 01:47 . 2009-08-08 01:46 -------- d-----w- c:\documents and settings\Nancy\Application Data\DivX
2009-08-08 00:34 . 2009-08-08 00:31 -------- d-----w- c:\program files\DivX
2009-08-08 00:32 . 2009-08-08 00:31 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-05 09:01 . 2005-10-05 06:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 12:29 . 2009-07-18 12:30 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2005-10-05 06:43 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2005-08-22 00:38 . 2005-08-22 00:38 2337 -c--a-w- c:\program files\draxx7fo.gif
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2004-08-04 07:56 . 2007-05-14 00:05 73728 -csha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-07 2356088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-05-15 245760]
"sr1exe"="c:\documents and settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" [2003-05-15 106496]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-10 196608]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-05-16 151597]
"MPSExe"="c:\program files\McAfee.com\MPS\mscifapp.exe" [2002-06-12 208896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-18 148888]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-05-29 676520]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-05-29 16040]
"Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [2008-05-29 311976]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-16 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxducoms.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"= 110:TCP:svchost
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/18/2009 9:16 PM 64160]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxduserv.exe [4/17/2009 7:43 PM 98984]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [7/18/2009 7:13 AM 410976]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [6/16/2003 9:13 PM 15576]
.
Contents of the 'Scheduled Tasks' folder
2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
IE: &Search
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
LSP: c:\windows\system32\mclsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Nancy\Application Data\Mozilla\Firefox\Profiles\default.8nz\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.ftp - sas.ce1.attbb.net
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.gopher - sas.ce1.attbb.net
FF - prefs.js: network.proxy.gopher_port - 8000
FF - prefs.js: network.proxy.http - sas.ce1.attbb.net
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - sas.ce1.attbb.net
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - sas.ce1.attbb.net
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, );user_pref(yahoo.homepage.dontask, true.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-AIM - c:\program files\AIM95\aim.exe
SafeBoot-Lavasoft Ad-Aware Service
AddRemove-mediamotor - c:\windows\unstall.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 14:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??h???x???????X??? ??? ???????P???? ?w? ?w)??p????????(???m????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
sr1exe = "c:\documents and settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" ??????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\mclsp.dll
c:\windows\system32\mclsphlr\gdlsphlr.dll
c:\windows\system32\McRtl32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\lxducoms.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\SYSTEM32\lxducoms.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Lexmark 5600-6600 Series\lxdumsdmon.exe
.
**************************************************************************
.
Completion time: 2009-09-26 14:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-26 19:48
Pre-Run: 37,650,223,104 bytes free
Post-Run: 37,555,740,672 bytes free
259 --- E O F --- 2009-09-10 08:08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.239 [GMT -5:00]
Running from: c:\documents and settings\Nancy\Desktop\kahdah.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Nancy\Favorites\games.url
c:\windows\Installer\70146.msp
c:\windows\system32\_004216_.tmp.dll
c:\windows\system32\_004217_.tmp.dll
c:\windows\system32\_004218_.tmp.dll
c:\windows\system32\_004219_.tmp.dll
c:\windows\system32\_004226_.tmp.dll
c:\windows\system32\_004227_.tmp.dll
c:\windows\system32\_004228_.tmp.dll
c:\windows\system32\_004230_.tmp.dll
c:\windows\system32\_004231_.tmp.dll
c:\windows\system32\_004234_.tmp.dll
c:\windows\system32\_004235_.tmp.dll
c:\windows\system32\_004237_.tmp.dll
c:\windows\system32\_004238_.tmp.dll
c:\windows\system32\_004239_.tmp.dll
c:\windows\system32\_004241_.tmp.dll
c:\windows\system32\_004244_.tmp.dll
c:\windows\system32\_004245_.tmp.dll
c:\windows\system32\_004249_.tmp.dll
c:\windows\system32\_004250_.tmp.dll
c:\windows\system32\_004252_.tmp.dll
c:\windows\system32\_004255_.tmp.dll
c:\windows\system32\_004258_.tmp.dll
c:\windows\system32\_004259_.tmp.dll
c:\windows\system32\_004260_.tmp.dll
c:\windows\system32\_004261_.tmp.dll
c:\windows\system32\_004264_.tmp.dll
c:\windows\system32\_004265_.tmp.dll
c:\windows\system32\_004266_.tmp.dll
c:\windows\system32\_004267_.tmp.dll
c:\windows\system32\_004268_.tmp.dll
c:\windows\system32\_004273_.tmp.dll
c:\windows\system32\_004275_.tmp.dll
c:\windows\system32\_004276_.tmp.dll
c:\windows\system32\_006404_.tmp.dll
c:\windows\system32\_006405_.tmp.dll
c:\windows\system32\_006406_.tmp.dll
c:\windows\system32\_006407_.tmp.dll
c:\windows\system32\_006414_.tmp.dll
c:\windows\system32\_006415_.tmp.dll
c:\windows\system32\_006416_.tmp.dll
c:\windows\system32\_006417_.tmp.dll
c:\windows\system32\_006419_.tmp.dll
c:\windows\system32\_006420_.tmp.dll
c:\windows\system32\_006423_.tmp.dll
c:\windows\system32\_006424_.tmp.dll
c:\windows\system32\_006426_.tmp.dll
c:\windows\system32\_006427_.tmp.dll
c:\windows\system32\_006428_.tmp.dll
c:\windows\system32\_006430_.tmp.dll
c:\windows\system32\_006431_.tmp.dll
c:\windows\system32\_006433_.tmp.dll
c:\windows\system32\_006434_.tmp.dll
c:\windows\system32\_006438_.tmp.dll
c:\windows\system32\_006439_.tmp.dll
c:\windows\system32\_006441_.tmp.dll
c:\windows\system32\_006444_.tmp.dll
c:\windows\system32\_006447_.tmp.dll
c:\windows\system32\_006448_.tmp.dll
c:\windows\system32\_006449_.tmp.dll
c:\windows\system32\_006450_.tmp.dll
c:\windows\system32\_006451_.tmp.dll
c:\windows\system32\_006454_.tmp.dll
c:\windows\system32\_006455_.tmp.dll
c:\windows\system32\_006456_.tmp.dll
c:\windows\system32\_006457_.tmp.dll
c:\windows\system32\_006458_.tmp.dll
c:\windows\system32\_006463_.tmp.dll
c:\windows\system32\_006465_.tmp.dll
c:\windows\system32\_006466_.tmp.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FAD
-------\Legacy_MSDIRECTX
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_RDRIV
-------\Legacy_WINDOWS_CONFIGURATION_LOADER
-------\Service_Windows Configuration Loader
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.
2009-09-26 19:39 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-26 19:39 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-19 02:16 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-19 02:15 . 2009-09-19 02:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-19 02:14 . 2009-09-19 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-16 12:08 . 2009-09-16 12:08 139264 ----a-w- c:\windows\system32\csrss8.dll
2009-08-28 16:05 . 2009-09-17 11:05 -------- d-----w- c:\documents and settings\Nancy\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 14:33 . 2004-04-21 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-25 16:40 . 2004-04-21 00:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 02:14 . 2004-08-03 01:08 -------- d-----w- c:\program files\Lavasoft
2009-09-17 13:17 . 2009-05-08 23:24 -------- d-----w- c:\program files\Google
2009-09-17 12:54 . 2005-10-22 16:44 -------- d-----w- c:\program files\Yahoo!
2009-09-15 13:21 . 2003-06-15 15:06 90640 -c--a-w- c:\documents and settings\Nancy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 00:54 . 2008-09-11 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 19:54 . 2008-09-11 01:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-09-11 01:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 00:48 . 2005-06-02 01:48 -------- d-----w- c:\program files\Picasa2
2009-08-25 22:13 . 2009-07-18 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lexmark 5600-6600 Series
2009-08-09 08:15 . 2009-08-09 08:15 -------- d-----w- c:\program files\MSBuild
2009-08-09 08:15 . 2009-08-09 08:15 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 01:47 . 2009-08-08 01:46 -------- d-----w- c:\documents and settings\Nancy\Application Data\DivX
2009-08-08 00:34 . 2009-08-08 00:31 -------- d-----w- c:\program files\DivX
2009-08-08 00:32 . 2009-08-08 00:31 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-05 09:01 . 2005-10-05 06:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 12:29 . 2009-07-18 12:30 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2005-10-05 06:43 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2005-08-22 00:38 . 2005-08-22 00:38 2337 -c--a-w- c:\program files\draxx7fo.gif
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2004-08-04 07:56 . 2007-05-14 00:05 73728 -csha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-07 2356088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-05-15 245760]
"sr1exe"="c:\documents and settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" [2003-05-15 106496]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-10 196608]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-05-16 151597]
"MPSExe"="c:\program files\McAfee.com\MPS\mscifapp.exe" [2002-06-12 208896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-18 148888]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-05-29 676520]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-05-29 16040]
"Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [2008-05-29 311976]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-16 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxducoms.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"= 110:TCP:svchost
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/18/2009 9:16 PM 64160]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxduserv.exe [4/17/2009 7:43 PM 98984]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [7/18/2009 7:13 AM 410976]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [6/16/2003 9:13 PM 15576]
.
Contents of the 'Scheduled Tasks' folder
2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
IE: &Search
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
LSP: c:\windows\system32\mclsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Nancy\Application Data\Mozilla\Firefox\Profiles\default.8nz\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.ftp - sas.ce1.attbb.net
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.gopher - sas.ce1.attbb.net
FF - prefs.js: network.proxy.gopher_port - 8000
FF - prefs.js: network.proxy.http - sas.ce1.attbb.net
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - sas.ce1.attbb.net
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - sas.ce1.attbb.net
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, );user_pref(yahoo.homepage.dontask, true.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-AIM - c:\program files\AIM95\aim.exe
SafeBoot-Lavasoft Ad-Aware Service
AddRemove-mediamotor - c:\windows\unstall.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 14:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??h???x???????X??? ??? ???????P???? ?w? ?w)??p????????(???m????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
sr1exe = "c:\documents and settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe" ??????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\mclsp.dll
c:\windows\system32\mclsphlr\gdlsphlr.dll
c:\windows\system32\McRtl32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\lxducoms.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\SYSTEM32\lxducoms.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Lexmark 5600-6600 Series\lxdumsdmon.exe
.
**************************************************************************
.
Completion time: 2009-09-26 14:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-26 19:48
Pre-Run: 37,650,223,104 bytes free
Post-Run: 37,555,740,672 bytes free
259 --- E O F --- 2009-09-10 08:08
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users