Thread: Ried #3
View Single Post
Old 11-10-2008, 09:54 PM   #3 (permalink)
red_machine
Registered User
 
Join Date: Oct 2008
Location: Minneapolis
Posts: 52
OS: Vista


Re: Ried #3
ComboFix 08-11-10.01 - Administrator 2008-11-10 22:49:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1679 [GMT -6:00]
Running from: e:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-10 19:07 . 2008-11-10 19:07 250 --a------ e:\windows\gmer.ini
2008-11-07 06:42 . 2008-11-07 06:42 3,560 --a------ e:\windows\system32\tmp.reg
2008-11-06 22:20 . 2008-11-06 22:20 <DIR> d-------- e:\documents and settings\All Users\Application Data\TEMP
2008-11-06 22:18 . 2008-11-06 22:18 <DIR> d-------- e:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-06 22:18 . 2008-11-06 22:18 <DIR> d-------- e:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-06 22:16 . 2008-11-10 18:58 <DIR> d-------- e:\program files\Trojan Remover
2008-11-04 22:09 . 2008-11-10 18:57 <DIR> d-------- e:\documents and settings\All Users\Application Data\Lavasoft
2008-10-18 15:16 . 2008-08-14 04:11 2,189,184 -----c--- e:\windows\system32\dllcache\ntoskrnl.exe
2008-10-18 15:16 . 2008-08-14 04:09 2,145,280 -----c--- e:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-18 15:16 . 2008-08-14 03:33 2,066,048 -----c--- e:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-18 15:16 . 2008-08-14 03:33 2,023,936 -----c--- e:\windows\system32\dllcache\ntkrpamp.exe
2008-10-18 15:16 . 2008-09-15 06:12 1,846,400 -----c--- e:\windows\system32\dllcache\win32k.sys
2008-10-18 15:16 . 2008-09-08 04:41 333,824 -----c--- e:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 04:41 --------- d-----w e:\documents and settings\Administrator\Application Data\WTablet
2008-11-11 04:26 --------- d-----w e:\documents and settings\LocalService\Application Data\WTablet
2008-09-28 21:25 --------- d-----w e:\documents and settings\Administrator\Application Data\Imagenomic
2008-09-28 21:23 --------- d-----w e:\program files\Instant JPEG From RAW
2008-09-28 21:21 --------- d-----w e:\program files\Mozilla Thunderbird
2008-09-15 12:12 1,846,400 ----a-w e:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w e:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w e:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w e:\windows\system32\ntkrnlpa.exe
2008-07-28 00:38 32,768 --sha-w e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072720080728\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="e:\windows\system32\nvraidservice.exe" [2005-01-17 84480]
"HPDJ Taskbar Utility"="e:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-06 172032]
"HPHUPD06"="e:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-06 49152]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="e:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="e:\windows\system32\hphmon06.exe" [2006-01-06 659456]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2007-11-06 8523776]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"SunJavaUpdateSched"="e:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Photo Downloader"="e:\program files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 61440]
"TomTomHOME.exe"="e:\program files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 378784]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 e:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2007-11-06 e:\windows\system32\nwiz.exe]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Logo Calibration Loader.lnk - e:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2008-01-15 708608]
ProfileReminder.lnk - e:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2008-01-15 954368]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;e:\windows\system32\DRIVERS\Si3132r5.sys [2007-06-01 215856]
R2 PDIHWCTL;PDIHWCTL;e:\windows\system32\drivers\pdihwctl.sys [2007-01-25 14416]
R2 TabletServiceWacom;TabletServiceWacom;e:\windows\system32\Wacom_Tablet.exe [2007-09-07 1373480]
R3 wacommousefilter;Wacom Mouse Filter Driver;e:\windows\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver;e:\windows\system32\DRIVERS\wacomvhid.sys [2007-02-16 12848]
R3 WacomVKHid;Virtual Keyboard Driver;e:\windows\system32\DRIVERS\WacomVKHid.sys [2007-02-15 11440]
S3 i1display;i1 Display;e:\windows\system32\Drivers\i1display.sys [2004-10-15 44344]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 e:\windows\Tasks\HP Usg Daily FY04.job
- e:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2006-01-06 22:54]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - e:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\matts profile\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.techsupportforum.com/security-center/hijackthis-log-help/311572-ried-3-a.html
FF -: plugin - e:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\matts profile\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 22:50:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-10 22:51:32
ComboFix-quarantined-files.txt 2008-11-11 04:51:26

Pre-Run: 24,177,614,848 bytes free
Post-Run: 25,074,728,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

108 --- E O F --- 2008-10-19 08:02:50
red_machine is offline