Tech Support Forum - View Single Post

xazncrazyx · 07-25-2007, 09:52 PM

"abc" - 07/26/2007 20:26:57 [GMT -7:00] - ComboFix 07-07-24.5 - Service Pack 4 NTFS
Command switches used :: C:\Documents and Settings\abc\Desktop\CFScript.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ylgpgzav.dll
C:\Program Files\codec_setup.exe
C:\WINNT\srkzsvip.dll
C:\WINNT\system32\drvzos.dll
C:\WINNT\system32\hgggfcd.dll
C:\WINNT\system32\hlpsrv.exe
C:\WINNT\system32\twqogrlb
C:\WINNT\system32\twqogrlb\bg1.gif
C:\WINNT\system32\twqogrlb\bgtop.gif
C:\WINNT\system32\twqogrlb\bottom1.gif
C:\WINNT\system32\twqogrlb\essentials.gif
C:\WINNT\system32\twqogrlb\icon1.ico
C:\WINNT\system32\twqogrlb\install1.gif
C:\WINNT\system32\twqogrlb\left1.gif
C:\WINNT\system32\twqogrlb\li.gif
C:\WINNT\system32\twqogrlb\logo.gif
C:\WINNT\system32\twqogrlb\main.htm
C:\WINNT\system32\twqogrlb\mainframe.htm
C:\WINNT\system32\twqogrlb\reinstall1.gif
C:\WINNT\system32\twqogrlb\right1.gif
C:\WINNT\system32\twqogrlb\s1.htm
C:\WINNT\system32\twqogrlb\s2.htm
C:\WINNT\system32\twqogrlb\s3.htm
C:\WINNT\system32\twqogrlb\SMTop1.gif
C:\WINNT\system32\twqogrlb\SMTop2.gif
C:\WINNT\system32\twqogrlb\SMTop3.gif
C:\WINNT\system32\twqogrlb\SMTop4.gif
C:\WINNT\system32\twqogrlb\soft1_off.gif
C:\WINNT\system32\twqogrlb\soft1_off_ext.gif
C:\WINNT\system32\twqogrlb\soft1_on.gif
C:\WINNT\system32\twqogrlb\soft1_on_ext.gif
C:\WINNT\system32\twqogrlb\soft2_off.gif
C:\WINNT\system32\twqogrlb\soft2_off_ext.gif
C:\WINNT\system32\twqogrlb\soft2_on.gif
C:\WINNT\system32\twqogrlb\soft2_on_ext.gif
C:\WINNT\system32\twqogrlb\soft3_off.gif
C:\WINNT\system32\twqogrlb\soft3_off_ext.gif
C:\WINNT\system32\twqogrlb\soft3_on.gif
C:\WINNT\system32\twqogrlb\soft3_on_ext.gif
C:\WINNT\system32\twqogrlb\softbottom_off.gif
C:\WINNT\system32\twqogrlb\softbottom_on.gif
C:\WINNT\system32\twqogrlb\softleft_off.gif
C:\WINNT\system32\twqogrlb\softleft_on.gif
C:\WINNT\system32\twqogrlb\top1.gif
C:\WINNT\system32\twqogrlb\top2.gif
C:\WINNT\system32\twqogrlb\turnoff1.gif
C:\WINNT\system32\twqogrlb\turnon1.gif
C:\WINNT\system32\twqogrlb\twqogrlb1.exe
C:\WINNT\system32\twqogrlb\twqogrlb2.exe
C:\WINNT\system32\twqogrlb\twqogrlb3.exe

((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))

2007-07-26 20:26 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_308.dat
2007-07-26 15:41 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-26 12:08 <DIR> d-------- C:\Deckard
2007-07-26 11:56 <DIR> d-------- C:\DOCUME~1\abc\APPLIC~1\Netscape
2007-07-26 11:55 <DIR> d-------- C:\Program Files\Netscape
2007-07-26 10:53 <DIR> d-------- C:\Program Files\hjt
2007-07-25 19:04 23,864 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2007-07-25 19:04 21,816 --a------ C:\WINNT\system32\drivers\sshrmd.sys
2007-07-25 19:04 20,280 --a------ C:\WINNT\system32\drivers\SSFS0BB8.sys
2007-07-25 19:04 160,056 --a------ C:\WINNT\system32\drivers\ssidrv.sys
2007-07-25 19:03 1,520,952 --a------ C:\WINNT\WRSetup.dll
2007-07-25 19:03 <DIR> d-------- C:\Program Files\Webroot
2007-07-25 19:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Webroot
2007-07-25 19:03 <DIR> d-------- C:\DOCUME~1\abc\APPLIC~1\Webroot
2007-07-25 19:00 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2007-07-25 19:00 <DIR> d-------- C:\Program Files\4DiskcleanG
2007-07-23 23:36 <DIR> d-------- C:\DOCUME~1\abc\APPLIC~1\WinRAR
2007-06-17 10:56 967 --a------ C:\WINNT\ScEdUnin.pif
2007-06-17 10:56 6,455 --a------ C:\WINNT\scedunin.dat
2007-06-16 21:06 <DIR> d-a------ C:\Program Files\Steam
2007-06-14 01:23 <DIR> d--h----- C:\WINNT\PIF
2007-06-14 01:23 <DIR> d-------- C:\WAR2
2007-06-14 01:11 <DIR> d-------- C:\Program Files\Microsoft Games

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-26 01:08:32 -------- d-----w C:\Program Files\IrfanView
2007-07-25 20:02:04 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-17 06:44:23 1,764 ----a-w C:\WINNT\Sketchpad Preferences.dat
2007-05-28 21:48:41 -------- d-----w C:\DOCUME~1\abc\APPLIC~1\Lavasoft
2007-05-28 21:48:35 -------- d-----w C:\Program Files\Lavasoft
2007-05-28 21:48:17 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-28 21:20:50 -------- d-----w C:\Program Files\iTunes
2007-05-28 21:20:43 -------- d-----w C:\Program Files\iPod
2007-05-28 21:20:10 -------- d-----w C:\Program Files\QuickTime
2007-05-27 05:14:57 -------- d-----w C:\Program Files\AIM
2006-08-10 22:39:48 271 ---h--w C:\Program Files\desktop.ini
2006-08-10 22:39:48 21,952 ---h--w C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/07 03:43a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [04/27/07 11:25a]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [06/21/07 06:57p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [06/02/05 02:34a]
"Aim6"="C:\Program Files\AIM6\aim6.exe" []
"Steam"="C:\Program Files\Steam\Steam.exe" [06/26/07 06:54p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\abc\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 11:10:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

R0 Diskperf;Diskperf;C:\WINNT\system32\drivers\Diskperf.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINNT\system32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINNT\system32\Drivers\SSIDRV.SYS
R1 Cdr4_2K;Cdr4_2K;C:\WINNT\system32\drivers\Cdr4_2K.sys
R1 Cdralw2k;Cdralw2k;C:\WINNT\system32\drivers\Cdralw2k.sys
R1 Parport;Parallel port driver;C:\WINNT\system32\DRIVERS\parport.sys
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
R3 i81x;i81x;C:\WINNT\system32\DRIVERS\i81xnt5.sys
R3 Parallel;Parallel class driver;C:\WINNT\system32\DRIVERS\parallel.sys
R3 Ptilink;Direct Parallel Link Driver;C:\WINNT\system32\DRIVERS\ptilink.sys
R3 Raspti;Direct Parallel;C:\WINNT\system32\DRIVERS\raspti.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINNT\system32\Drivers\sskbfd.sys
R3 uhcd;Microsoft USB Universal Host Controller Driver;C:\WINNT\system32\DRIVERS\uhcd.sys
R4 EFS;EFS;C:\WINNT\system32\drivers\EFS.sys
S2 zntport;NTPort Library Driver;\??\C:\WINNT\system32\zntport.sys
S3 Fax;Fax Service;C:\WINNT\system32\faxsvc.exe
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 NetDetect;NetDetect;C:\WINNT\system32\drivers\netdtect.sys
S3 RCA;Microsoft Streaming Network Raw Channel Access;C:\WINNT\system32\drivers\RCA.sys
S3 UtilMan;Utility Manager;C:\WINNT\System32\UtilMan.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

Contents of the 'Scheduled Tasks' folder
2007-07-02 21:11:00 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-07-26 02:04:06 C:\WINNT\tasks\wrSpySweeperTrialSweep.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 20:28:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

\ComboFix\sed.cfexe [996] 0x8123C520

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 07/26/2007 20:30:08
C:\ComboFix-quarantined-files.txt ... 07/26/07 08:29p
C:\ComboFix2.txt ... 07/26/07 07:13p

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 20:39, on 2007-07-26
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINNT\system32\cmd.exe
C:\ComboFix\regt.cfexe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\ComboFix\nircmd.cfexe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\abc\Local Settings\Temp\wzeee5\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/game...lugin10USA.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

07-25-2007, 09:52 PM	#11 (permalink)
xazncrazyx Registered User Join Date: Jul 2007 Posts: 10 OS: 2000	Re: "process has already exited" "abc" - 07/26/2007 20:26:57 [GMT -7:00] - ComboFix 07-07-24.5 - Service Pack 4 NTFS Command switches used :: C:\Documents and Settings\abc\Desktop\CFScript.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ylgpgzav.dll C:\Program Files\codec_setup.exe C:\WINNT\srkzsvip.dll C:\WINNT\system32\drvzos.dll C:\WINNT\system32\hgggfcd.dll C:\WINNT\system32\hlpsrv.exe C:\WINNT\system32\twqogrlb C:\WINNT\system32\twqogrlb\bg1.gif C:\WINNT\system32\twqogrlb\bgtop.gif C:\WINNT\system32\twqogrlb\bottom1.gif C:\WINNT\system32\twqogrlb\essentials.gif C:\WINNT\system32\twqogrlb\icon1.ico C:\WINNT\system32\twqogrlb\install1.gif C:\WINNT\system32\twqogrlb\left1.gif C:\WINNT\system32\twqogrlb\li.gif C:\WINNT\system32\twqogrlb\logo.gif C:\WINNT\system32\twqogrlb\main.htm C:\WINNT\system32\twqogrlb\mainframe.htm C:\WINNT\system32\twqogrlb\reinstall1.gif C:\WINNT\system32\twqogrlb\right1.gif C:\WINNT\system32\twqogrlb\s1.htm C:\WINNT\system32\twqogrlb\s2.htm C:\WINNT\system32\twqogrlb\s3.htm C:\WINNT\system32\twqogrlb\SMTop1.gif C:\WINNT\system32\twqogrlb\SMTop2.gif C:\WINNT\system32\twqogrlb\SMTop3.gif C:\WINNT\system32\twqogrlb\SMTop4.gif C:\WINNT\system32\twqogrlb\soft1_off.gif C:\WINNT\system32\twqogrlb\soft1_off_ext.gif C:\WINNT\system32\twqogrlb\soft1_on.gif C:\WINNT\system32\twqogrlb\soft1_on_ext.gif C:\WINNT\system32\twqogrlb\soft2_off.gif C:\WINNT\system32\twqogrlb\soft2_off_ext.gif C:\WINNT\system32\twqogrlb\soft2_on.gif C:\WINNT\system32\twqogrlb\soft2_on_ext.gif C:\WINNT\system32\twqogrlb\soft3_off.gif C:\WINNT\system32\twqogrlb\soft3_off_ext.gif C:\WINNT\system32\twqogrlb\soft3_on.gif C:\WINNT\system32\twqogrlb\soft3_on_ext.gif C:\WINNT\system32\twqogrlb\softbottom_off.gif C:\WINNT\system32\twqogrlb\softbottom_on.gif C:\WINNT\system32\twqogrlb\softleft_off.gif C:\WINNT\system32\twqogrlb\softleft_on.gif C:\WINNT\system32\twqogrlb\top1.gif C:\WINNT\system32\twqogrlb\top2.gif C:\WINNT\system32\twqogrlb\turnoff1.gif C:\WINNT\system32\twqogrlb\turnon1.gif C:\WINNT\system32\twqogrlb\twqogrlb1.exe C:\WINNT\system32\twqogrlb\twqogrlb2.exe C:\WINNT\system32\twqogrlb\twqogrlb3.exe ((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 ))))))))))))))))))))))))))))))) 2007-07-26 20:26 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_308.dat 2007-07-26 15:41 51,200 --a------ C:\WINNT\nircmd.exe 2007-07-26 12:08 <DIR> d-------- C:\Deckard 2007-07-26 11:56 <DIR> d-------- C:\DOCUME~1\abc\APPLIC~1\Netscape 2007-07-26 11:55 <DIR> d-------- C:\Program Files\Netscape 2007-07-26 10:53 <DIR> d-------- C:\Program Files\hjt 2007-07-25 19:04 23,864 --a------ C:\WINNT\system32\drivers\sskbfd.sys 2007-07-25 19:04 21,816 --a------ C:\WINNT\system32\drivers\sshrmd.sys 2007-07-25 19:04 20,280 --a------ C:\WINNT\system32\drivers\SSFS0BB8.sys 2007-07-25 19:04 160,056 --a------ C:\WINNT\system32\drivers\ssidrv.sys 2007-07-25 19:03 1,520,952 --a------ C:\WINNT\WRSetup.dll 2007-07-25 19:03 <DIR> d-------- C:\Program Files\Webroot 2007-07-25 19:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Webroot 2007-07-25 19:03 <DIR> d-------- C:\DOCUME~1\abc\APPLIC~1\Webroot 2007-07-25 19:00 <DIR> d-------- C:\Program Files\Advanced Spyware Remover 2007-07-25 19:00 <DIR> d-------- C:\Program Files\4DiskcleanG 2007-07-23 23:36 <DIR> d-------- C:\DOCUME~1\abc\APPLIC~1\WinRAR 2007-06-17 10:56 967 --a------ C:\WINNT\ScEdUnin.pif 2007-06-17 10:56 6,455 --a------ C:\WINNT\scedunin.dat 2007-06-16 21:06 <DIR> d-a------ C:\Program Files\Steam 2007-06-14 01:23 <DIR> d--h----- C:\WINNT\PIF 2007-06-14 01:23 <DIR> d-------- C:\WAR2 2007-06-14 01:11 <DIR> d-------- C:\Program Files\Microsoft Games (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-26 01:08:32 -------- d-----w C:\Program Files\IrfanView 2007-07-25 20:02:04 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-17 06:44:23 1,764 ----a-w C:\WINNT\Sketchpad Preferences.dat 2007-05-28 21:48:41 -------- d-----w C:\DOCUME~1\abc\APPLIC~1\Lavasoft 2007-05-28 21:48:35 -------- d-----w C:\Program Files\Lavasoft 2007-05-28 21:48:17 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-05-28 21:20:50 -------- d-----w C:\Program Files\iTunes 2007-05-28 21:20:43 -------- d-----w C:\Program Files\iPod 2007-05-28 21:20:10 -------- d-----w C:\Program Files\QuickTime 2007-05-27 05:14:57 -------- d-----w C:\Program Files\AIM 2006-08-10 22:39:48 271 ---h--w C:\Program Files\desktop.ini 2006-08-10 22:39:48 21,952 ---h--w C:\Program Files\folder.htt ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/07 03:43a] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [04/27/07 11:25a] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [06/21/07 06:57p] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [06/02/05 02:34a] "Aim6"="C:\Program Files\AIM6\aim6.exe" [] "Steam"="C:\Program Files\Steam\Steam.exe" [06/26/07 06:54p] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop C:\Documents and Settings\abc\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50] C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20] Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50] WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 11:10:00] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService] R0 Diskperf;Diskperf;C:\WINNT\system32\drivers\Diskperf.sys R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINNT\system32\Drivers\SSHRMD.SYS R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINNT\system32\Drivers\SSIDRV.SYS R1 Cdr4_2K;Cdr4_2K;C:\WINNT\system32\drivers\Cdr4_2K.sys R1 Cdralw2k;Cdralw2k;C:\WINNT\system32\drivers\Cdralw2k.sys R1 Parport;Parallel port driver;C:\WINNT\system32\DRIVERS\parport.sys R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys R3 i81x;i81x;C:\WINNT\system32\DRIVERS\i81xnt5.sys R3 Parallel;Parallel class driver;C:\WINNT\system32\DRIVERS\parallel.sys R3 Ptilink;Direct Parallel Link Driver;C:\WINNT\system32\DRIVERS\ptilink.sys R3 Raspti;Direct Parallel;C:\WINNT\system32\DRIVERS\raspti.sys R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINNT\system32\Drivers\sskbfd.sys R3 uhcd;Microsoft USB Universal Host Controller Driver;C:\WINNT\system32\DRIVERS\uhcd.sys R4 EFS;EFS;C:\WINNT\system32\drivers\EFS.sys S2 zntport;NTPort Library Driver;\??\C:\WINNT\system32\zntport.sys S3 Fax;Fax Service;C:\WINNT\system32\faxsvc.exe S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys S3 NetDetect;NetDetect;C:\WINNT\system32\drivers\netdtect.sys S3 RCA;Microsoft Streaming Network Raw Channel Access;C:\WINNT\system32\drivers\RCA.sys S3 UtilMan;Utility Manager;C:\WINNT\System32\UtilMan.exe Newly Created Service - CATCHME Newly Created Service - IPNAT Newly Created Service - RASAUTO Newly Created Service - SHAREDACCESS Contents of the 'Scheduled Tasks' folder 2007-07-02 21:11:00 C:\WINNT\tasks\AppleSoftwareUpdate.job 2007-07-26 02:04:06 C:\WINNT\tasks\wrSpySweeperTrialSweep.job ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-26 20:28:59 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... \ComboFix\sed.cfexe [996] 0x8123C520 scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 07/26/2007 20:30:08 C:\ComboFix-quarantined-files.txt ... 07/26/07 08:29p C:\ComboFix2.txt ... 07/26/07 07:13p --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 20:39, on 2007-07-26 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\AIM\aim.exe C:\Program Files\Steam\Steam.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Netscape\Navigator 9\navigator.exe C:\WINNT\system32\cmd.exe C:\ComboFix\regt.cfexe C:\WINNT\explorer.exe C:\WINNT\system32\notepad.exe C:\ComboFix\nircmd.cfexe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\abc\Local Settings\Temp\wzeee5\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/game...lugin10USA.cab O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe