Tech Support Forum - View Single Post

Kaninen · 11-09-2008, 04:06 PM

I had Nod32 installed but when I discovered this virus the antivirus didnt work so I uninstalled it.
Here are the logs:

ComboFix 08-11-09.01 - Mattias 2008-11-09 23:56:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.275 [GMT 1:00]
Running from: c:\documents and settings\Mattias\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mattias\Start Menu\Programs\Startup\lsass.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-09 11:57 . 2008-11-09 11:57 <DIR> d-------- c:\windows\LastGood
2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\scripting
2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\en
2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\bits
2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\l2schemas
2008-11-09 04:57 . 2008-11-09 05:00 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-07 19:14 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys
2008-11-07 19:13 . 2004-08-03 22:29 327,040 --------- c:\windows\system32\drivers\ati2mtaa.sys
2008-11-06 22:24 . 2008-11-09 23:32 32 --a------ c:\windows\1.ini
2008-11-06 21:19 . 2008-11-06 21:19 <DIR> d-------- C:\Logs
2008-11-06 19:52 . 2008-11-06 19:52 <DIR> d-------- C:\rsit
2008-11-06 19:52 . 2008-11-06 19:52 <DIR> d-------- c:\program files\trend micro
2008-11-06 19:30 . 2008-11-06 19:39 250 --a------ c:\windows\gmer.ini
2008-11-06 19:10 . 2008-11-06 19:10 1,529,241 --a------ C:\SDFix.exe
2008-11-06 18:22 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-06 18:22 . 2008-06-13 12:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-06 18:20 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-06 18:20 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-06 18:20 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-06 18:20 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-06 18:20 . 2008-08-14 11:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-06 18:19 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-06 18:19 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-06 18:19 . 2008-05-08 15:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-11-06 18:18 . 2008-04-11 20:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-06 18:18 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-06 18:15 . 2008-11-09 11:57 <DIR> d--h----- c:\windows\$hf_mig$
2008-11-06 18:15 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-11-06 18:09 . 2008-11-06 18:13 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-06 17:57 . 2008-11-06 17:57 <DIR> d---s---- c:\documents and settings\Mattias\UserData
2008-11-06 17:27 . 2008-11-06 17:27 237,568 --a------ c:\windows\system32\wowformf436_130.dll
2008-11-06 17:27 . 2008-11-09 20:20 100,864 --a------ c:\windows\avguard.exe
2008-11-06 17:27 . 2008-11-06 17:27 20 --a------ c:\windows\syscheck
2008-11-06 14:06 . 2008-11-06 14:06 <DIR> d-------- c:\windows\Eurobattle.net Installer
2008-11-06 13:45 . 2008-11-06 13:59 <DIR> d-------- c:\documents and settings\Mattias\Application Data\Ventrilo
2008-11-06 13:44 . 2008-11-06 13:44 <DIR> d-------- c:\program files\VentriloMIX
2008-11-06 13:43 . 2008-11-06 13:48 139,264 --a------ c:\windows\War3Unin.exe
2008-11-06 13:43 . 2008-11-06 14:03 77,057 --a------ c:\windows\War3Unin.dat
2008-11-06 13:43 . 2008-11-06 13:48 2,829 --a------ c:\windows\War3Unin.pif
2008-11-06 13:41 . 2008-11-06 21:13 <DIR> d-------- c:\program files\Warcraft III
2008-11-06 13:36 . 2008-11-06 13:36 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-11-06 12:35 . 2008-11-06 12:35 <DIR> d-------- c:\documents and settings\Mattias\Application Data\DAEMON Tools
2008-11-06 12:35 . 2008-11-06 12:35 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-06 12:30 . 2008-11-06 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 10:57 --------- d-----w c:\program files\MSN Messenger
2008-11-08 09:21 --------- d-----w c:\program files\World of Warcraft
2008-11-06 16:30 4,224 ----a-w c:\windows\system32\drivers\beep.sys
2008-11-06 12:44 --------- d-----w c:\program files\VentriloMIX
2008-11-06 11:27 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-06 10:53 --------- d-----w c:\documents and settings\Mattias\Application Data\ATI
2008-11-06 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-06 10:34 --------- d-----w c:\program files\ATI Technologies
2008-11-06 10:31 --------- d-----w c:\documents and settings\Mattias\Application Data\uTorrent
2008-11-06 10:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 10:25 --------- d-----w c:\program files\ESET
2008-11-06 10:25 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-11-06 10:23 --------- d-----w c:\program files\Creative
2008-11-06 10:21 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-11-06 10:21 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2008-11-06 10:21 --------- d-----w c:\documents and settings\Mattias\Application Data\Creative
2008-11-06 10:13 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-06 10:09 --------- d-----w c:\program files\uTorrent
2008-11-06 10:04 --------- d-----w c:\program files\microsoft frontpage
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-21 02:19 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-08-21 02:18 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-08-21 02:08 184,320 ----a-w c:\windows\system32\atipdlxx.dll
2008-08-21 02:08 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-08-21 02:07 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-08-21 02:07 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-08-21 02:07 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-08-21 02:05 573,440 ----a-w c:\windows\system32\ati2evxx.exe
2008-08-21 02:04 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-08-21 02:01 10,084,352 ----a-w c:\windows\system32\atioglxx.dll
2008-08-21 01:55 4,094,560 ----a-w c:\windows\system32\ati3duag.dll
2008-08-21 01:50 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-08-21 01:38 2,377,856 ----a-w c:\windows\system32\ativvaxx.dll
2008-08-21 01:23 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-08-21 01:19 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-08-21 01:18 37,376 ----a-w c:\windows\system32\atiadlxx.dll
2008-08-21 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-08-21 01:17 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-08-21 01:11 561,152 ----a-w c:\windows\system32\ati2cqag.dll
2008-08-20 20:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Google Update"="c:\documents and settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.2-enGB-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 wowsystemcode;Remote TCP/IP;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\NetMeeting\Winlog.exe [2008-11-06 456192]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wowsystemcode

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 05:53]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Mattias\Application Data\Mozilla\Firefox\Profiles\6ykijizn.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 23:57:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 23:59:10
ComboFix-quarantined-files.txt 2008-11-09 22:59:05

Pre-Run: 58*816*290*816 bytes free
Post-Run: 58,987,540,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

168 --- E O F --- 2008-11-09 19:16:04

Antivirus Version Last Update Result
AhnLab-V3 2008.11.7.1 2008.11.09 -
AntiVir 7.9.0.26 2008.11.07 HEUR/Crypted
Authentium 5.1.0.4 2008.11.09 -
Avast 4.8.1248.0 2008.11.08 -
AVG 8.0.0.161 2008.11.09 -
BitDefender 7.2 2008.11.09 -
CAT-QuickHeal 9.50 2008.11.08 (Suspicious) - DNAScan
ClamAV 0.94.1 2008.11.09 -
DrWeb 4.44.0.09170 2008.11.09 -
eSafe 7.0.17.0 2008.11.09 -
eTrust-Vet 31.6.6199 2008.11.08 -
Ewido 4.0 2008.11.09 -
F-Prot 4.4.4.56 2008.11.09 -
F-Secure 8.0.14332.0 2008.11.09 -
Fortinet 3.117.0.0 2008.11.09 -
GData 19 2008.11.09 -
Ikarus T3.1.1.45.0 2008.11.09 Win32.SuspectCrc
K7AntiVirus 7.10.520 2008.11.08 -
Kaspersky 7.0.0.125 2008.11.09 -
McAfee 5428 2008.11.08 -
Microsoft 1.4104 2008.11.09 -
NOD32 3597 2008.11.08 -
Norman 5.80.02 2008.11.07 -
Panda 9.0.0.4 2008.11.09 -
PCTools 4.4.2.0 2008.11.09 -
Prevx1 V2 2008.11.10 -
Rising 21.02.62.00 2008.11.09 -
SecureWeb-Gateway 6.7.6 2008.11.09 Heuristic.Crypted
Sophos 4.35.0 2008.11.09 Sus/Behav-1021
Sunbelt 3.1.1785.2 2008.11.08 VIPRE.Suspicious
Symantec 10 2008.11.09 -
TheHacker 6.3.1.1.146 2008.11.08 -
TrendMicro 8.700.0.1004 2008.11.07 -
VBA32 3.12.8.9 2008.11.09 -
ViRobot 2008.11.7.1457 2008.11.07 -
VirusBuster 4.5.11.0 2008.11.09 -
Additional information
File size: 456192 bytes
MD5...: 58cbc64c84c3fb3c9ec29fa74f87a02a
SHA1..: 5bd22f65e3673d442b8bda25b5fef351c05f106d
SHA256: aaec39f69147dfd078d7e9c8612262e41f295a5094b4ad7ee82e1d956d0dbdd5
SHA512: c276674ab3b1cafcf6d850c5518714331e09ebdbac7a8d04befe4d57cb62bcb7
1c2fce34eb8d6a05ea7babfcdf96706a57af9c844d111da372155f20233b0a40
PEiD..: ASProtect v1.23 RC1
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x48d19c32 (Thu Sep 18 00:09:22 2008)
machinetype.......: 0x14c (I386)

( 11 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x98000 0x40c00 8.00 7f2ca0554d7be8f72a63fb3eea282948
0x99000 0x6000 0x3a00 7.99 0468fbe7b3d2435149dd5847cc4f822a
0x9f000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0xa2000 0x3000 0xa00 7.93 70d82039e183fdae8416d3cb1c83471a
0xa5000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0xa6000 0x1000 0x200 0.21 9c9162431c940718529337b24534b19b
0xa7000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0xb0000 0x2000 0x200 5.58 eed3ce1dc020cc364d3a4edab4fdda85
0xb2000 0x3000 0x2000 7.97 c35a50c44022c9e4a56013614de808eb
.data 0xb5000 0x28000 0x27e00 7.83 04541050bbf064addb11c9d66eea94ac
.adata 0xdd000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 17 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> version.dll: VerQueryValueA
> shell32.dll: Shell_NotifyIconA
> user32.dll: GetKeyboardType
> ole32.dll: OleSaveToStream
> oleaut32.dll: GetErrorInfo
> comctl32.dll: ImageList_SetIconSize
> gdi32.dll: UnrealizeObject
> quartz.dll: AMGetErrorTextA
> user32.dll: CreateWindowExA
> oleaut32.dll: SafeArrayPtrOfIndex
> wsock32.dll: WSACleanup
> advapi32.dll: RegSetValueExA
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> oleaut32.dll: VariantChangeTypeEx
> kernel32.dll: RaiseException

( 0 exports )
packers (F-Prot): Aspack
packers (Kaspersky): PE_Patch

11-09-2008, 04:06 PM	#3 (permalink)
Kaninen Registered User Join Date: Nov 2008 Posts: 9 OS: xp	Re: c:\windows\avguard.exe I had Nod32 installed but when I discovered this virus the antivirus didnt work so I uninstalled it. Here are the logs: ComboFix 08-11-09.01 - Mattias 2008-11-09 23:56:12.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.275 [GMT 1:00] Running from: c:\documents and settings\Mattias\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Mattias\Start Menu\Programs\Startup\lsass.exe . ((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 ))))))))))))))))))))))))))))))) . 2008-11-09 11:57 . 2008-11-09 11:57 <DIR> d-------- c:\windows\LastGood 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\scripting 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\en 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\system32\bits 2008-11-09 05:00 . 2008-11-09 05:00 <DIR> d-------- c:\windows\l2schemas 2008-11-09 04:57 . 2008-11-09 05:00 <DIR> d-------- c:\windows\ServicePackFiles 2008-11-07 19:14 . 2004-08-03 22:29 1,897,408 --------- c:\windows\system32\drivers\nv4_mini.sys 2008-11-07 19:13 . 2004-08-03 22:29 327,040 --------- c:\windows\system32\drivers\ati2mtaa.sys 2008-11-06 22:24 . 2008-11-09 23:32 32 --a------ c:\windows\1.ini 2008-11-06 21:19 . 2008-11-06 21:19 <DIR> d-------- C:\Logs 2008-11-06 19:52 . 2008-11-06 19:52 <DIR> d-------- C:\rsit 2008-11-06 19:52 . 2008-11-06 19:52 <DIR> d-------- c:\program files\trend micro 2008-11-06 19:30 . 2008-11-06 19:39 250 --a------ c:\windows\gmer.ini 2008-11-06 19:10 . 2008-11-06 19:10 1,529,241 --a------ C:\SDFix.exe 2008-11-06 18:22 . 2008-06-13 12:05 272,128 --------- c:\windows\system32\drivers\bthport.sys 2008-11-06 18:22 . 2008-06-13 12:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2008-11-06 18:20 . 2008-08-14 11:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-06 18:20 . 2008-08-14 11:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-06 18:20 . 2008-09-15 13:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-11-06 18:20 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-11-06 18:20 . 2008-08-14 11:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys 2008-11-06 18:19 . 2008-08-14 10:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-06 18:19 . 2008-08-14 10:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-06 18:19 . 2008-05-08 15:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys 2008-11-06 18:18 . 2008-04-11 20:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll 2008-11-06 18:18 . 2008-10-15 17:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-11-06 18:15 . 2008-11-09 11:57 <DIR> d--h----- c:\windows\$hf_mig$ 2008-11-06 18:15 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe 2008-11-06 18:09 . 2008-11-06 18:13 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-11-06 17:57 . 2008-11-06 17:57 <DIR> d---s---- c:\documents and settings\Mattias\UserData 2008-11-06 17:27 . 2008-11-06 17:27 237,568 --a------ c:\windows\system32\wowformf436_130.dll 2008-11-06 17:27 . 2008-11-09 20:20 100,864 --a------ c:\windows\avguard.exe 2008-11-06 17:27 . 2008-11-06 17:27 20 --a------ c:\windows\syscheck 2008-11-06 14:06 . 2008-11-06 14:06 <DIR> d-------- c:\windows\Eurobattle.net Installer 2008-11-06 13:45 . 2008-11-06 13:59 <DIR> d-------- c:\documents and settings\Mattias\Application Data\Ventrilo 2008-11-06 13:44 . 2008-11-06 13:44 <DIR> d-------- c:\program files\VentriloMIX 2008-11-06 13:43 . 2008-11-06 13:48 139,264 --a------ c:\windows\War3Unin.exe 2008-11-06 13:43 . 2008-11-06 14:03 77,057 --a------ c:\windows\War3Unin.dat 2008-11-06 13:43 . 2008-11-06 13:48 2,829 --a------ c:\windows\War3Unin.pif 2008-11-06 13:41 . 2008-11-06 21:13 <DIR> d-------- c:\program files\Warcraft III 2008-11-06 13:36 . 2008-11-06 13:36 <DIR> d-------- c:\program files\DAEMON Tools Lite 2008-11-06 12:35 . 2008-11-06 12:35 <DIR> d-------- c:\documents and settings\Mattias\Application Data\DAEMON Tools 2008-11-06 12:35 . 2008-11-06 12:35 717,296 --a------ c:\windows\system32\drivers\sptd.sys 2008-11-06 12:30 . 2008-11-06 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-09 10:57 --------- d-----w c:\program files\MSN Messenger 2008-11-08 09:21 --------- d-----w c:\program files\World of Warcraft 2008-11-06 16:30 4,224 ----a-w c:\windows\system32\drivers\beep.sys 2008-11-06 12:44 --------- d-----w c:\program files\VentriloMIX 2008-11-06 11:27 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-11-06 10:53 --------- d-----w c:\documents and settings\Mattias\Application Data\ATI 2008-11-06 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\ATI 2008-11-06 10:34 --------- d-----w c:\program files\ATI Technologies 2008-11-06 10:31 --------- d-----w c:\documents and settings\Mattias\Application Data\uTorrent 2008-11-06 10:26 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-06 10:25 --------- d-----w c:\program files\ESET 2008-11-06 10:25 --------- d-----w c:\documents and settings\All Users\Application Data\ESET 2008-11-06 10:23 --------- d-----w c:\program files\Creative 2008-11-06 10:21 444,952 ----a-w c:\windows\system32\wrap_oal.dll 2008-11-06 10:21 109,080 ----a-w c:\windows\system32\OpenAL32.dll 2008-11-06 10:21 --------- d-----w c:\documents and settings\Mattias\Application Data\Creative 2008-11-06 10:13 --------- d-----w c:\program files\Common Files\InstallShield 2008-11-06 10:09 --------- d-----w c:\program files\uTorrent 2008-11-06 10:04 --------- d-----w c:\program files\microsoft frontpage 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-08-21 02:19 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll 2008-08-21 02:18 314,880 ----a-w c:\windows\system32\ati2dvag.dll 2008-08-21 02:08 184,320 ----a-w c:\windows\system32\atipdlxx.dll 2008-08-21 02:08 143,360 ----a-w c:\windows\system32\Oemdspif.dll 2008-08-21 02:07 43,520 ----a-w c:\windows\system32\ati2edxx.dll 2008-08-21 02:07 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe 2008-08-21 02:07 143,360 ----a-w c:\windows\system32\ati2evxx.dll 2008-08-21 02:05 573,440 ----a-w c:\windows\system32\ati2evxx.exe 2008-08-21 02:04 53,248 ----a-w c:\windows\system32\ATIDDC.DLL 2008-08-21 02:01 10,084,352 ----a-w c:\windows\system32\atioglxx.dll 2008-08-21 01:55 4,094,560 ----a-w c:\windows\system32\ati3duag.dll 2008-08-21 01:50 307,200 ----a-w c:\windows\system32\atiiiexx.dll 2008-08-21 01:38 2,377,856 ----a-w c:\windows\system32\ativvaxx.dll 2008-08-21 01:23 48,640 ----a-w c:\windows\system32\amdpcom32.dll 2008-08-21 01:19 380,928 ----a-w c:\windows\system32\atikvmag.dll 2008-08-21 01:18 37,376 ----a-w c:\windows\system32\atiadlxx.dll 2008-08-21 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll 2008-08-21 01:17 253,952 ----a-w c:\windows\system32\atiok3x2.dll 2008-08-21 01:11 561,152 ----a-w c:\windows\system32\ati2cqag.dll 2008-08-20 20:05 593,920 ------w c:\windows\system32\ati2sgag.exe 2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952] "Google Update"="c:\documents and settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-08 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.2-enGB-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R2 wowsystemcode;Remote TCP/IP;c:\windows\System32\svchost.exe [2008-04-14 14336] R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352] R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032] R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296] S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\NetMeeting\Winlog.exe [2008-11-06 456192] S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352] S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032] S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888] S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888] S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs wowsystemcode Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-11-09 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\Mattias\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 05:53] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Mattias\Application Data\Mozilla\Firefox\Profiles\6ykijizn.default\ . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-09 23:57:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-09 23:59:10 ComboFix-quarantined-files.txt 2008-11-09 22:59:05 Pre-Run: 58816290*816 bytes free Post-Run: 58,987,540,480 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 168 --- E O F --- 2008-11-09 19:16:04 Antivirus Version Last Update Result AhnLab-V3 2008.11.7.1 2008.11.09 - AntiVir 7.9.0.26 2008.11.07 HEUR/Crypted Authentium 5.1.0.4 2008.11.09 - Avast 4.8.1248.0 2008.11.08 - AVG 8.0.0.161 2008.11.09 - BitDefender 7.2 2008.11.09 - CAT-QuickHeal 9.50 2008.11.08 (Suspicious) - DNAScan ClamAV 0.94.1 2008.11.09 - DrWeb 4.44.0.09170 2008.11.09 - eSafe 7.0.17.0 2008.11.09 - eTrust-Vet 31.6.6199 2008.11.08 - Ewido 4.0 2008.11.09 - F-Prot 4.4.4.56 2008.11.09 - F-Secure 8.0.14332.0 2008.11.09 - Fortinet 3.117.0.0 2008.11.09 - GData 19 2008.11.09 - Ikarus T3.1.1.45.0 2008.11.09 Win32.SuspectCrc K7AntiVirus 7.10.520 2008.11.08 - Kaspersky 7.0.0.125 2008.11.09 - McAfee 5428 2008.11.08 - Microsoft 1.4104 2008.11.09 - NOD32 3597 2008.11.08 - Norman 5.80.02 2008.11.07 - Panda 9.0.0.4 2008.11.09 - PCTools 4.4.2.0 2008.11.09 - Prevx1 V2 2008.11.10 - Rising 21.02.62.00 2008.11.09 - SecureWeb-Gateway 6.7.6 2008.11.09 Heuristic.Crypted Sophos 4.35.0 2008.11.09 Sus/Behav-1021 Sunbelt 3.1.1785.2 2008.11.08 VIPRE.Suspicious Symantec 10 2008.11.09 - TheHacker 6.3.1.1.146 2008.11.08 - TrendMicro 8.700.0.1004 2008.11.07 - VBA32 3.12.8.9 2008.11.09 - ViRobot 2008.11.7.1457 2008.11.07 - VirusBuster 4.5.11.0 2008.11.09 - Additional information File size: 456192 bytes MD5...: 58cbc64c84c3fb3c9ec29fa74f87a02a SHA1..: 5bd22f65e3673d442b8bda25b5fef351c05f106d SHA256: aaec39f69147dfd078d7e9c8612262e41f295a5094b4ad7ee82e1d956d0dbdd5 SHA512: c276674ab3b1cafcf6d850c5518714331e09ebdbac7a8d04befe4d57cb62bcb7 1c2fce34eb8d6a05ea7babfcdf96706a57af9c844d111da372155f20233b0a40 PEiD..: ASProtect v1.23 RC1 TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401000 timedatestamp.....: 0x48d19c32 (Thu Sep 18 00:09:22 2008) machinetype.......: 0x14c (I386) ( 11 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0x98000 0x40c00 8.00 7f2ca0554d7be8f72a63fb3eea282948 0x99000 0x6000 0x3a00 7.99 0468fbe7b3d2435149dd5847cc4f822a 0x9f000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0xa2000 0x3000 0xa00 7.93 70d82039e183fdae8416d3cb1c83471a 0xa5000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0xa6000 0x1000 0x200 0.21 9c9162431c940718529337b24534b19b 0xa7000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0xb0000 0x2000 0x200 5.58 eed3ce1dc020cc364d3a4edab4fdda85 0xb2000 0x3000 0x2000 7.97 c35a50c44022c9e4a56013614de808eb .data 0xb5000 0x28000 0x27e00 7.83 04541050bbf064addb11c9d66eea94ac .adata 0xdd000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 17 imports ) > kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA > version.dll: VerQueryValueA > shell32.dll: Shell_NotifyIconA > user32.dll: GetKeyboardType > ole32.dll: OleSaveToStream > oleaut32.dll: GetErrorInfo > comctl32.dll: ImageList_SetIconSize > gdi32.dll: UnrealizeObject > quartz.dll: AMGetErrorTextA > user32.dll: CreateWindowExA > oleaut32.dll: SafeArrayPtrOfIndex > wsock32.dll: WSACleanup > advapi32.dll: RegSetValueExA > advapi32.dll: RegQueryValueExA > oleaut32.dll: SysFreeString > oleaut32.dll: VariantChangeTypeEx > kernel32.dll: RaiseException ( 0 exports ) packers (F-Prot): Aspack packers (Kaspersky): PE_Patch