Thread: [SOLVED] Pop-Ups
View Single Post
Old 01-15-2008, 07:48 PM   #8 (permalink)
notter87
Registered User
 
Join Date: Jan 2008
Posts: 48
OS: xp sp2


Re: Pop-Ups
Here is the ComboFix log

ComboFix 08-01-16.3 - Nathan Garnica 2008-01-15 20:27:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -5:00]
Running from: C:\Documents and Settings\Nathan Garnica\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\Documents and Settings\Nathan Garnica\Local Settings\Application Data\jpkctym.dat
C:\Documents and Settings\Nathan Garnica\Local Settings\Application Data\jpkctym.exe
C:\Documents and Settings\Nathan Garnica\Local Settings\Application Data\jpkctym_nav.dat
c:\Documents and Settings\Nathan Garnica\Local Settings\Application Data\jpkctym_navps.dat
C:\Program Files\windows
C:\WINDOWS\system32\_000228_.tmp.dll
C:\WINDOWS\system32\bang-006.ico
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dobe~1\?dobe\
C:\WINDOWS\system32\nvs2.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 20:22 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-15 20:22 . 2006-12-04 16:04 211 --a------ C:\Boot.bak
2008-01-15 20:20 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 23:06 . 2008-01-13 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-01-13 23:05 . 2008-01-13 23:05 <DIR> d-------- C:\Program Files\Last.fm
2008-01-13 22:59 . 2008-01-13 22:59 <DIR> d-------- C:\Program Files\foobar2000
2008-01-13 22:59 . 2008-01-15 19:54 <DIR> d-------- C:\Documents and Settings\Nathan Garnica\Application Data\foobar2000
2008-01-12 15:13 . 2008-01-12 15:13 <DIR> d-------- C:\Program Files\COMODO
2008-01-12 15:13 . 2008-01-12 15:13 <DIR> d-------- C:\Documents and Settings\Nathan Garnica\Application Data\Comodo
2008-01-12 15:13 . 2008-01-12 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-01-12 15:13 . 2008-01-12 15:13 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-01-12 15:13 . 2008-01-12 15:13 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-01-12 15:13 . 2008-01-12 15:13 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-01-12 14:14 . 2008-01-12 14:14 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-11 16:15 . 2008-01-11 16:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 16:12 . 2008-01-11 16:12 <DIR> d-------- C:\Deckard
2008-01-11 16:03 . 2008-01-11 16:03 <DIR> d-------- C:\Program Files\MSBuild
2008-01-11 15:58 . 2008-01-11 15:58 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-01-11 15:57 . 2008-01-11 15:57 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-01-11 15:56 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-01-11 15:44 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-01-11 15:44 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-01-11 15:44 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-01-11 15:25 . 2007-03-31 12:12 <DIR> d-------- C:\Program Files\ZonedOut
2008-01-11 15:23 . 2008-01-11 15:23 <DIR> d-------- C:\ie-spyad_zo
2008-01-11 15:15 . 2008-01-11 15:17 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-10 22:25 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-10 22:23 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gllihrjddyun.sys
2007-12-31 00:33 . 2007-12-31 00:33 <DIR> d-------- C:\Documents and Settings\Nathan Garnica\Application Data\vlc
2007-12-31 00:26 . 2007-12-31 00:29 <DIR> dr-h----- C:\Program Files\rnamfler
2007-12-30 22:41 . 2007-12-31 00:34 <DIR> d-------- C:\Program Files\VideoLAN
2007-12-21 23:46 . 2007-12-21 23:55 <DIR> d-------- C:\Documents and Settings\Nathan Garnica\Application Data\Joost

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 04:00 --------- d-----w C:\Documents and Settings\Nathan Garnica\Application Data\U3
2008-01-11 09:48 --------- d-----w C:\Documents and Settings\Nathan Garnica\Application Data\uTorrent
2008-01-11 04:17 --------- d-----w C:\Program Files\TagRename
2008-01-11 04:04 --------- d-----w C:\Program Files\iTunes
2008-01-11 02:59 --------- d-----w C:\Program Files\Viewpoint
2008-01-02 19:42 --------- d-----w C:\Program Files\StepMania
2007-12-31 03:42 --------- d-----w C:\Program Files\DivX
2007-12-27 22:03 --------- d-----w C:\Program Files\Soulseek
2007-12-05 20:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-27 04:14 --------- d-----w C:\Program Files\In The Groove 2
2007-11-25 16:42 --------- d-----w C:\Program Files\uTorrent
2007-11-24 01:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-24 01:24 --------- d-----w C:\Program Files\e-Games
2007-11-21 00:14 --------- d-----w C:\Program Files\IrfanView
2005-12-09 02:04 40,968 ----a-w C:\Documents and Settings\Nathan Garnica\Application Data\GDIPFONTCACHEV1.DAT
2002-10-04 22:09 204,800 -c--a-w C:\WINDOWS\inf\FXPlugin.dll
2005-09-17 00:29 56 -csha-r C:\WINDOWS\system32\AE34307C6C.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 12:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 12:36 114688]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-01-12 15:13 1481472]

C:\Documents and Settings\Nathan Garnica\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-13 23:05:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 14:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
--a--c--- 2005-11-24 21:19 230512 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
--a--c--- 2005-11-24 21:19 185456 C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2005-05-15 02:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1124522652\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2005-09-20 12:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2005-09-20 12:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2007-01-04 12:13 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 19:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2006-07-21 10:43 407032 C:\PROGRA~1\Yahoo!\YOP\yop.exe

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-01-12 15:13]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-01-12 15:13]
S3 Aldebaran;Aldebaran - Storage Filter Drivers;C:\WINDOWS\system32\Drivers\Aldebaran.sys []
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [1999-09-10 11:06]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60c444a2-9509-11db-b70e-0013202ef869}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PortableVaultAES.exe
\Shell\Explore\command - explorer.exe /n,/e ,.
\Shell\Launch\command - G:\portablevaultaes.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 21:47:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 20:35:14
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-15 20:40:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 01:40:21
.
2008-01-12 19:14:15 --- E O F ---
notter87 is offline