Tech Support Forum - View Single Post

ChaSiuBao · 08-07-2008, 03:25 PM

ok both are done

ComboFix 08-08-07.01 - James Tran 2008-08-07 17:10:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.707 [GMT -4:00]
Running from: C:\Documents and Settings\James Tran\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Tran\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James Tran\Application Data\inst.exe
C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\#SharedObjects\LPDUDA8N\interclick.com
C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\#SharedObjects\LPDUDA8N\interclick.com\ud.sol
C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\BM4f871d3a.txt
C:\WINDOWS\BM4f871d3a.xml
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\eLRBefii.ini
C:\WINDOWS\system32\eLRBefii.ini2
C:\WINDOWS\system32\GPpponmp.ini
C:\WINDOWS\system32\GPpponmp.ini2
C:\WINDOWS\system32\yqgqddtt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mssecurity1.209.4

((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-04 02:11 . 2008-08-04 02:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-28 17:23 . 2008-07-28 17:23 38 --a------ C:\WINDOWS\avisplitter.INI
2008-07-27 09:09 . 2008-08-04 02:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-27 09:09 . 2008-08-04 02:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 09:09 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-25 22:51 . 2008-07-25 22:51 <DIR> d-------- C:\Program Files\uTorrent
2008-07-25 22:51 . 2008-08-06 19:17 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\uTorrent
2008-07-25 19:52 . 2008-04-13 14:39 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-07-25 19:52 . 2008-04-13 14:39 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-07-25 19:49 . 2008-08-04 02:15 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-07-23 23:34 . 2008-07-23 23:34 1,424 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 23:33 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-23 23:33 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-23 23:33 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-23 23:33 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-23 23:33 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-23 23:33 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-23 23:33 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-23 23:33 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-23 23:33 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-23 21:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-22 21:04 . 2008-07-25 15:48 <DIR> d-------- C:\WINDOWS\system32\4832
2008-07-22 20:17 . 2008-07-23 00:16 43,865 ---hs---- C:\WINDOWS\system32\fuwaeetu.ini
2008-07-09 20:30 . 2008-07-09 20:30 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-09 20:27 . 2008-07-09 20:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-09 20:10 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-07-09 20:09 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-09 20:08 . 2008-04-13 20:11 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2008-07-09 17:59 . 2008-07-25 17:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-09 17:59 . 2008-07-09 17:59 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\SUPERAntiSpyware.com
2008-07-09 17:59 . 2008-07-09 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\Malwarebytes
2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-09 17:52 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-09 17:52 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-09 16:52 . 2008-07-26 21:43 <DIR> d-------- C:\Documents and Settings\James Tran\.housecall6.6
2008-07-08 22:50 . 2008-07-08 22:50 <DIR> d-------- C:\Program Files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 00:42 --------- d-----w C:\Program Files\FrostWire
2008-07-09 21:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 17:03 --------- d-----w C:\Program Files\Lavasoft
2008-07-05 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 01:37 --------- d-----w C:\Program Files\Winamp
2008-06-30 23:09 --------- d-----w C:\Documents and Settings\James Tran\Application Data\Apple Computer
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-09 19:39 47,360 ----a-w C:\Documents and Settings\James Tran\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-07-19 10:35]
R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James Tran\Application Data\Mozilla\Firefox\Profiles\zhve8f58.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 17:14:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2008-08-07 17:17:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 21:17:49

Pre-Run: 17,692,368,896 bytes free
Post-Run: 17,596,518,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

160 --- E O F --- 2008-07-10 20:04:37

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:26 PM, on 07/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\James Tran\Desktop\System Tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFEF81E5-4F5D-4D5D-9A76-EE5AF674C9E8}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 3650 bytes

08-07-2008, 03:25 PM	#5 (permalink)
ChaSiuBao Registered User Join Date: Jul 2008 Posts: 9 OS: Windows Xp sp3	Re: computer still infected? ok both are done ComboFix 08-08-07.01 - James Tran 2008-08-07 17:10:52.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.707 [GMT -4:00] Running from: C:\Documents and Settings\James Tran\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\James Tran\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\James Tran\Application Data\inst.exe C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\#SharedObjects\LPDUDA8N\interclick.com C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\#SharedObjects\LPDUDA8N\interclick.com\ud.sol C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\James Tran\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\WINDOWS\BM4f871d3a.txt C:\WINDOWS\BM4f871d3a.xml C:\WINDOWS\mainms.vpi C:\WINDOWS\megavid.cdt C:\WINDOWS\muotr.so C:\WINDOWS\system32\eLRBefii.ini C:\WINDOWS\system32\eLRBefii.ini2 C:\WINDOWS\system32\GPpponmp.ini C:\WINDOWS\system32\GPpponmp.ini2 C:\WINDOWS\system32\yqgqddtt.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_mssecurity1.209.4 ((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 ))))))))))))))))))))))))))))))) . 2008-08-04 02:11 . 2008-08-04 02:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-28 17:23 . 2008-07-28 17:23 38 --a------ C:\WINDOWS\avisplitter.INI 2008-07-27 09:09 . 2008-08-04 02:16 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-07-27 09:09 . 2008-08-04 02:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-27 09:09 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-07-25 22:51 . 2008-07-25 22:51 <DIR> d-------- C:\Program Files\uTorrent 2008-07-25 22:51 . 2008-08-06 19:17 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\uTorrent 2008-07-25 19:52 . 2008-04-13 14:39 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2008-07-25 19:52 . 2008-04-13 14:39 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys 2008-07-25 19:49 . 2008-08-04 02:15 <DIR> d-------- C:\Program Files\Common Files\Logitech 2008-07-23 23:34 . 2008-07-23 23:34 1,424 --a------ C:\WINDOWS\system32\tmp.reg 2008-07-23 23:33 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-07-23 23:33 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-07-23 23:33 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-07-23 23:33 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-07-23 23:33 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe 2008-07-23 23:33 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe 2008-07-23 23:33 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-07-23 23:33 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-07-23 23:33 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-07-23 21:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-07-22 21:04 . 2008-07-25 15:48 <DIR> d-------- C:\WINDOWS\system32\4832 2008-07-22 20:17 . 2008-07-23 00:16 43,865 ---hs---- C:\WINDOWS\system32\fuwaeetu.ini 2008-07-09 20:30 . 2008-07-09 20:30 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\system32\en 2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\system32\bits 2008-07-09 20:29 . 2008-07-09 20:29 <DIR> d-------- C:\WINDOWS\l2schemas 2008-07-09 20:27 . 2008-07-09 20:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-07-09 20:10 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll 2008-07-09 20:09 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll 2008-07-09 20:08 . 2008-04-13 20:11 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll 2008-07-09 17:59 . 2008-07-25 17:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-07-09 17:59 . 2008-07-09 17:59 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\SUPERAntiSpyware.com 2008-07-09 17:59 . 2008-07-09 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Documents and Settings\James Tran\Application Data\Malwarebytes 2008-07-09 17:52 . 2008-07-09 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-09 17:52 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-07-09 17:52 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-09 16:52 . 2008-07-26 21:43 <DIR> d-------- C:\Documents and Settings\James Tran\.housecall6.6 2008-07-08 22:50 . 2008-07-08 22:50 <DIR> d-------- C:\Program Files\Alwil Software . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-04 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-25 00:42 --------- d-----w C:\Program Files\FrostWire 2008-07-09 21:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-07-05 17:03 --------- d-----w C:\Program Files\Lavasoft 2008-07-05 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-07-04 01:37 --------- d-----w C:\Program Files\Winamp 2008-06-30 23:09 --------- d-----w C:\Documents and Settings\James Tran\Application Data\Apple Computer 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-04-09 19:39 47,360 ----a-w C:\Documents and Settings\James Tran\Application Data\pcouffin.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "msacm.divxa32"= divxa32.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\system32\\ftp.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-07-19 10:35] R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\James Tran\Application Data\Mozilla\Firefox\Profiles\zhve8f58.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-07 17:14:27 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe . ************************************************************************ . Completion time: 2008-08-07 17:17:54 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-07 21:17:49 Pre-Run: 17,692,368,896 bytes free Post-Run: 17,596,518,400 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 160 --- E O F --- 2008-07-10 20:04:37 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:21:26 PM, on 07/08/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\James Tran\Desktop\System Tools\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{EFEF81E5-4F5D-4D5D-9A76-EE5AF674C9E8}: NameServer = 192.168.1.1 O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- End of file - 3650 bytes