this is the combo fix, has the http tidserv been deleted? i did malware right after and got zero infections ComboFix 10-06-23.02 - User 24/06/2010 0:17.1.1 - x86
Microsoft Windows XP Home Edition
[GMT -8:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\msinst.exe
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
C:\test.txt
C:\Thumbs.db
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\wpe pro.INI
c:\windows\xpsp1hfm.log
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.
2010-06-24 02:42 . 2010-06-24 02:40 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-24 02:41 . 2010-06-24 02:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-24 02:28 . 2010-06-24 02:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-22 19:45 . 2010-06-22 19:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 19:45 . 2010-06-22 19:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-22 08:08 . 2010-06-22 08:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-21 21:42 . 2010-06-21 21:42 -------- d-----w- C:\ComboFix
2010-06-20 07:13 . 2010-06-20 07:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-06-20 01:32 . 2010-06-20 01:32 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-06-20 00:12 . 2010-06-20 00:12 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-20 00:00 . 2010-06-21 22:12 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\dyxopykkt
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 07:24 . 2005-09-09 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-24 02:47 . 2005-09-09 23:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-24 02:29 . 2007-04-01 19:26 -------- d-----w- c:\program files\Lavasoft
2010-06-24 02:24 . 2007-12-08 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-22 02:48 . 2010-03-13 11:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 01:04 . 2009-12-14 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-02 05:56 . 2003-03-03 04:38 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 23:39 . 2010-03-13 11:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 23:39 . 2010-03-13 11:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2003-03-03 04:33 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:20 . 2006-06-23 19:33 668672 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:20 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2003-02-19 01:35 . 2005-09-09 23:13 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.
------- Sigcheck -------
[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\bits\qmgr.dll
[-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\dllcache\qmgr.dll
[-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\qmgr.dll
[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 548933]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\xtras\mssysmgr.exe" [2004-11-12 212992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-18 69632]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2002-10-01 372736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 335872]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PC-CAM 600 STI App Registration"="PD023pin.dll" [2001-11-11 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 155648]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-01-28 885760]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-04 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2004-08-04 136704]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-10-10 225280]
c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-16 113664]
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2006-7-16 1172992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-12 23:13 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msupdate.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\msupdate.exe
backup=c:\windows\pss\msupdate.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R2 mrtRate;mrtRate; [x]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;c:\windows\system32\DRIVERS\libusb0.sys [2005-03-09 33792]
R3 PD023BLK;Creative PC-CAM 600 (Still Image);c:\windows\system32\DRIVERS\PD023blk.sys [2001-11-13 28537]
R3 PD023VID;Creative PC-CAM 600 (Video);c:\windows\system32\DRIVERS\Pd023vid.sys [2001-11-13 435360]
R3 Spdat94;Spdat94; [x]
R3 w550obex;Sony Ericsson W550 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w550obex.sys [x]
R3 w900bus;Sony Ericsson 900i driver (WDM);c:\windows\system32\DRIVERS\w900bus.sys [x]
R3 w900mgmt;Sony Ericsson 900i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\w900mgmt.sys [x]
R3 w900obex;Sony Ericsson 900i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w900obex.sys [x]
S0 d347bus;d347bus;c:\windows\System32\DRIVERS\d347bus.sys [2004-08-22 155136]
S0 d347prt;d347prt;c:\windows\System32\Drivers\d347prt.sys [2004-08-22 5248]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-24 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-06-24 1352832]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe WUSB300N.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2010-06-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:40]
2010-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
2010-06-22 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - User.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy:8080
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: PCPitstop-Tracks-Checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5w4s36ev.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\SceneCaster\Version 3.11.16\NPSceneCaster.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-BlockTracker - c:\hp\bin\BlockTracker.exe
HKLM-Run-AutoTBar - c:\hp\bin\autotbar.exe
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
AddRemove-Creative PD0230 - c:\windows\CtDrvIns.exe -uninstall USB\VID_041E&PID_400b&mi_00 -plugin Pd023pin.dll
AddRemove-Destinator PC Portal - c:\program files\LGE PC Portal\Inst.exe \U
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
AddRemove-PS2 - c:\windows\system32\ps2.exe
AddRemove-Sound Clips for Messenger - c:\program files\Sound Clips for Messenger\Uninstall.exe
AddRemove-WinAce Archiver - c:\program files\WinAce\SXUNINST.EXE
AddRemove-{28BA89E7-2F60-4BE7-BAA2-7949EB3FE527} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{3EA6838C-5C34-4F9C-A8DA-434D65DD1356} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{4F0AE1FB-4082-4A27-8363-05D292D92FB0} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{63272979-21F0-48EF-9B97-A83DBC05BE39} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{753FE96B-D926-4B6C-BCFB-CC59153D004A} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{7841B68B-B7DD-408E-8B45-D5CA39608185} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{9FA01E11-9015-4140-B10A-5C6AA949B2FC} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-{BC0EE7F1-32DE-4EE2-BE10-AE15DB394E84} - c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
AddRemove-Patch_V1 - k:\gravity\RO\Uninstal.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-06-24 00:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D2BD08]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf755afc3
\Driver\ACPI -> ACPI.sys @ 0xf74a7cb8
\Driver\atapi -> 0x86d2bd08
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e22a
ParseProcedure -> ntoskrnl.exe @ 0x80579c89
SecurityProcedure -> ntoskrnl.exe @ 0x805b011d
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e22a
ParseProcedure -> ntoskrnl.exe @ 0x80579c89
SecurityProcedure -> ntoskrnl.exe @ 0x805b011d
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll
.
Completion time: 2010-06-24 01:06:50
ComboFix-quarantined-files.txt 2010-06-24 09:06
Pre-Run: 2,571,595,776 bytes free
Post-Run: 6,886,277,120 bytes free
- - End Of File - - 2F7D07D3FAD582CB8C6058C612EDED15