Tech Support Forum - View Single Post

kokleman · 11-10-2008, 05:59 PM

This was the new Combofix log though

ComboFix 08-11-05.02 - Lucien 2008-11-06 15:48:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1524 [GMT -6:00]
Running from: c:\documents and settings\Lucien\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rm6lMh37.exe.a_a
c:\windows\system32\to3nOj04.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-02 03:14 . 2008-11-05 15:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe_
2008-11-02 03:14 . 2008-11-05 16:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe
2008-10-30 19:18 . 2008-10-30 19:18 7,704 --a------ c:\windows\system32\mst120.dll
2008-10-23 15:03 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 16:39 . 2008-10-14 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-10-14 13:16 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 13:16 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 13:16 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 13:16 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 13:16 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-14 13:16 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-08 11:14 . 2008-10-08 11:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-08 11:14 . 2008-09-09 23:04 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-08 11:14 . 2008-09-09 23:03 17,200 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 02:27 --------- d-----w c:\program files\Trend Micro
2008-11-04 21:50 --------- d-----w c:\program files\World of Warcraft
2008-11-02 16:00 --------- d-----w c:\program files\Common Files\Adobe
2008-11-01 16:17 --------- d-----w c:\documents and settings\Lucien\Application Data\LimeWire
2008-10-31 01:39 --------- d-----w c:\documents and settings\Lucien\Application Data\mIRC
2008-10-31 01:25 --------- d-----w c:\program files\mIRC
2008-10-30 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 02:16 336 ----a-w c:\documents and settings\Lucien\Application Data\wklnhst.dat
2008-10-21 20:02 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-04 18:42 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-03 02:01 --------- d-----w c:\documents and settings\Lucien\Application Data\Template
2008-10-02 22:52 --------- d-----w c:\program files\CCleaner
2008-10-02 22:49 --------- d-----w c:\documents and settings\Lucien\Application Data\Malwarebytes
2008-10-02 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-02 21:03 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype
2008-09-20 20:13 30,272 ----a-w c:\windows\system32\13H8MJt4.exe
2008-09-20 13:31 24 ----a-w c:\documents and settings\Lucien\jagex_runescape_preferences.dat
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-11 22:26 --------- d-----w c:\program files\iTunes
2008-09-11 22:26 --------- d-----w c:\program files\iPod
2008-09-11 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-11 22:25 --------- d-----w c:\program files\QuickTime
2008-09-11 22:25 --------- d-----w c:\program files\Common Files\Apple
2008-09-11 22:25 --------- d-----w c:\program files\Bonjour
2008-09-09 20:50 --------- d-----w c:\program files\Microsoft Works
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-07 05:39 --------- d-----w c:\program files\SwiftKit
2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-16 16:58 60,968 ----a-w c:\documents and settings\Lucien\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-10-07 1410296]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"Tarantula"="c:\program files\Razer\Tarantula\razerhid.exe" [2006-09-30 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-12 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 12:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\condition zero\\hl.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard Downloader

R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [2006-12-21 1294336]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784]
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800]
S2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [ ]
S3 GoToAssist;GoToAssist;c:\program files\Citrix\GoToAssist\480\g2aservice.exe Start=service [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-02 c:\windows\Tasks\At1.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-01 c:\windows\Tasks\At10.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At11.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At12.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At13.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At14.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At15.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At16.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At17.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At18.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At19.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At2.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At20.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At21.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-06 c:\windows\Tasks\At22.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At23.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At24.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At25.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At26.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At27.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At28.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At29.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At3.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At30.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At31.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At32.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-10-02 c:\windows\Tasks\At33.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-01 c:\windows\Tasks\At34.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At35.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At36.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At37.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At38.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At39.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At4.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-05 c:\windows\Tasks\At40.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At41.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At42.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At43.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At44.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At45.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-06 c:\windows\Tasks\At46.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-05 c:\windows\Tasks\At47.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At48.job
- c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11]

2008-11-02 c:\windows\Tasks\At5.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-11-02 c:\windows\Tasks\At6.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At7.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At8.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]

2008-10-02 c:\windows\Tasks\At9.job
- c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-CM108Sound - CM108.cpl
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Lucien\Application Data\Mozilla\Firefox\Profiles\cyv1ncpy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com/?src=aim
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 15:50:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\Lucien\LOCALS~1\Temp\RGI26.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-11-06 15:50:55
ComboFix-quarantined-files.txt 2008-11-06 21:50:41

Pre-Run: 178,902,425,600 bytes free
Post-Run: 179,082,887,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

285 --- E O F --- 2008-10-23 22:21:32

11-10-2008, 05:59 PM	#11 (permalink)
kokleman Registered User Join Date: Nov 2008 Posts: 17 OS: xp	Re: Sound clips playing every 30 seconds This was the new Combofix log though ComboFix 08-11-05.02 - Lucien 2008-11-06 15:48:52.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1524 [GMT -6:00] Running from: c:\documents and settings\Lucien\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\rm6lMh37.exe.a_a c:\windows\system32\to3nOj04.dll . ((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 ))))))))))))))))))))))))))))))) . 2008-11-02 03:14 . 2008-11-05 15:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe_ 2008-11-02 03:14 . 2008-11-05 16:11 41,474 --a------ c:\windows\system32\rm6lMh37.exe 2008-10-30 19:18 . 2008-10-30 19:18 7,704 --a------ c:\windows\system32\mst120.dll 2008-10-23 15:03 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll 2008-10-14 16:39 . 2008-10-14 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard 2008-10-14 13:16 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-14 13:16 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-14 13:16 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-14 13:16 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-14 13:16 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys 2008-10-14 13:16 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys 2008-10-08 11:14 . 2008-10-08 11:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-10-08 11:14 . 2008-09-09 23:04 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-10-08 11:14 . 2008-09-09 23:03 17,200 --a------ c:\windows\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-06 02:27 --------- d-----w c:\program files\Trend Micro 2008-11-04 21:50 --------- d-----w c:\program files\World of Warcraft 2008-11-02 16:00 --------- d-----w c:\program files\Common Files\Adobe 2008-11-01 16:17 --------- d-----w c:\documents and settings\Lucien\Application Data\LimeWire 2008-10-31 01:39 --------- d-----w c:\documents and settings\Lucien\Application Data\mIRC 2008-10-31 01:25 --------- d-----w c:\program files\mIRC 2008-10-30 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-24 02:16 336 ----a-w c:\documents and settings\Lucien\Application Data\wklnhst.dat 2008-10-21 20:02 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-04 18:42 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-10-03 02:01 --------- d-----w c:\documents and settings\Lucien\Application Data\Template 2008-10-02 22:52 --------- d-----w c:\program files\CCleaner 2008-10-02 22:49 --------- d-----w c:\documents and settings\Lucien\Application Data\Malwarebytes 2008-10-02 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-10-02 21:03 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype 2008-09-20 20:13 30,272 ----a-w c:\windows\system32\13H8MJt4.exe 2008-09-20 13:31 24 ----a-w c:\documents and settings\Lucien\jagex_runescape_preferences.dat 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-11 22:26 --------- d-----w c:\program files\iTunes 2008-09-11 22:26 --------- d-----w c:\program files\iPod 2008-09-11 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-11 22:25 --------- d-----w c:\program files\QuickTime 2008-09-11 22:25 --------- d-----w c:\program files\Common Files\Apple 2008-09-11 22:25 --------- d-----w c:\program files\Bonjour 2008-09-09 20:50 --------- d-----w c:\program files\Microsoft Works 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2008-09-07 05:39 --------- d-----w c:\program files\SwiftKit 2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll 2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll 2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll 2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll 2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll 2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe 2007-12-16 16:58 60,968 ----a-w c:\documents and settings\Lucien\GoToAssistDownloadHelper.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\valve\steam\steam.exe" [2008-10-07 1410296] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920] "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016] "Tarantula"="c:\program files\Razer\Tarantula\razerhid.exe" [2006-09-30 176128] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SigmatelSysTrayApp"="stsystra.exe" [2007-04-12 c:\windows\stsystra.exe] "nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= c:\windows\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 12:09 460784 c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2006-11-05 11:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.0.8089-to-2.4.1.8125-enUS-downloader.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\condition zero\\hl.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\redman27678\\counter-strike source\\hl2.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader "6881:TCP"= 6881:TCP:Blizzard Downloader R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184] R3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys [2006-12-21 1294336] R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-02 22784] R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2006-09-27 44800] S2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [ ] S3 GoToAssist;GoToAssist;c:\program files\Citrix\GoToAssist\480\g2aservice.exe Start=service [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-11-02 c:\windows\Tasks\At1.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-01 c:\windows\Tasks\At10.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At11.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At12.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At13.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At14.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At15.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At16.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At17.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At18.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At19.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At2.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At20.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At21.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-06 c:\windows\Tasks\At22.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At23.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At24.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At25.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At26.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At27.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At28.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At29.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At3.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At30.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At31.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At32.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-10-02 c:\windows\Tasks\At33.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-01 c:\windows\Tasks\At34.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At35.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At36.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At37.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At38.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At39.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At4.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-05 c:\windows\Tasks\At40.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At41.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At42.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At43.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At44.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At45.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-06 c:\windows\Tasks\At46.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-05 c:\windows\Tasks\At47.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At48.job - c:\windows\system32\rm6lMh37.exe [2008-11-05 16:11] 2008-11-02 c:\windows\Tasks\At5.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-11-02 c:\windows\Tasks\At6.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At7.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At8.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] 2008-10-02 c:\windows\Tasks\At9.job - c:\windows\system32\13H8MJt4.exe [2008-09-20 14:13] . - - - - ORPHANS REMOVED - - - - HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe HKLM-Run-CM108Sound - CM108.cpl Notify-GoToAssist - c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Lucien\Application Data\Mozilla\Firefox\Profiles\cyv1ncpy.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com/?src=aim FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-06 15:50:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\Lucien\LOCALS~1\Temp\RGI26.tmp scan completed successfully hidden files: 1 ************************************************************************ . Completion time: 2008-11-06 15:50:55 ComboFix-quarantined-files.txt 2008-11-06 21:50:41 Pre-Run: 178,902,425,600 bytes free Post-Run: 179,082,887,168 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 285 --- E O F --- 2008-10-23 22:21:32