Tech Support Forum - View Single Post - Infected by TrojanDownloader.Zlob.BXN trojan and a variant of Win32/AutoRun.ABH worm

plasma.d00d · 11-27-2008, 11:54 AM

Combofix seemed to run better this time , although it did give an error at about stage 10 which was something like ....

"windows command processor has stopped working"

I guess that was combofix shutting that process down and not actually an error ? (or I could be wrong)

Here is the combofix log you requested...

ComboFix 08-11-27.01 - kracken 2008-11-27 18:33:54.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1231 [GMT 0:00]
Running from: c:\users\kracken\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Autorun.inf
C:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Windows Tribute Service
-------\Service_Windows Tribute Service

((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-24 19:25 . 2008-11-24 19:25 15,430,656 --a------ c:\windows\System32\imageres.dll
2008-11-24 19:11 . 2008-11-24 19:11 <DIR> d-------- c:\programdata\Stardock
2008-11-24 19:11 . 2008-11-24 19:11 <DIR> d-------- c:\program files\Stardock
2008-11-24 19:11 . 2007-06-05 11:26 567,040 --a------ c:\windows\System32\wbocx.ocx
2008-11-24 19:11 . 2007-06-05 11:26 56,496 --a------ c:\windows\System32\wbhelp2.dll
2008-11-23 12:13 . 2008-11-23 12:13 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-23 12:13 . 2008-11-23 12:13 <DIR> d-------- c:\program files\iPod
2008-11-23 11:04 . 2008-11-23 11:04 410,976 --a------ c:\windows\System32\deploytk.dll
2008-11-08 12:35 . 2008-11-08 12:35 <DIR> d-------- C:\rsit
2008-11-08 11:58 . 2008-11-17 18:36 250 --a------ c:\windows\gmer.ini
2008-11-08 10:59 . 2008-11-08 10:59 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 10:15 . 2003-07-17 09:17 5,174 --a------ c:\windows\System32\nppt9x.vxd
2008-11-08 10:15 . 2005-01-01 00:43 4,682 --a------ c:\windows\System32\npptNT2.sys
2008-11-08 10:10 . 2008-11-08 10:10 <DIR> d-------- c:\program files\Common Files\INCA Shared
2008-11-08 10:07 . 2008-11-08 10:07 <DIR> d-------- c:\program files\G4box
2008-10-30 19:00 . 2008-08-12 03:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-30 19:00 . 2008-09-18 04:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-30 19:00 . 2008-09-18 04:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-28 20:56 . 2008-10-28 20:56 <DIR> d--h----- c:\windows\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 17:31 --------- d-----w c:\program files\ESET
2008-11-27 17:19 53,248 ----a-w c:\windows\System32\zlib.dll
2008-11-23 12:13 --------- d-----w c:\program files\iTunes
2008-11-23 12:13 --------- d-----w c:\program files\Common Files\Apple
2008-11-23 12:11 --------- d-----w c:\program files\QuickTime
2008-11-23 12:06 --------- d-----w c:\program files\Safari
2008-11-23 11:04 --------- d-----w c:\program files\Java
2008-11-15 20:45 107,789 ----a-w c:\users\kracken\AppData\Roaming\nvModes.dat
2008-11-11 20:37 --------- d-----w c:\users\kracken\AppData\Roaming\GrabIt
2008-11-07 19:49 --------- d-----w c:\users\kracken\AppData\Roaming\IGN_DLM
2008-10-31 16:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-28 21:07 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-28 21:07 111,928 ----a-w c:\windows\System32\PnkBstrB.exe
2008-10-28 20:43 682,280 ----a-w c:\windows\System32\pbsvc.exe
2008-10-28 20:43 22,328 ----a-w c:\users\kracken\AppData\Roaming\PnkBstrK.sys
2008-10-28 12:01 --------- d-----w c:\programdata\NexonEU
2008-10-27 07:02 --------- d-----w c:\program files\Sony
2008-10-26 21:32 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-26 21:31 --------- d-----w c:\program files\Windows Mail
2008-10-26 21:30 --------- d-----w c:\programdata\Microsoft Help
2008-10-25 14:16 --------- d-----w c:\program files\Axialis
2008-10-25 09:51 --------- d-----w c:\program files\Download Manager
2008-10-22 11:34 --------- d-----w c:\program files\Windows Live
2008-10-22 11:33 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2008-10-22 11:31 --------- d-----w c:\program files\Microsoft
2008-10-22 11:28 --------- d-----w c:\program files\Common Files\Windows Live
2008-10-11 12:13 --------- d-----w c:\program files\Active Data Recovery Software
2008-10-11 12:09 --------- d-----w c:\program files\Data Doctor Recovery FAT+NTFS
2008-10-11 11:54 --------- d-----w c:\program files\Ontrack
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 12:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-28 19:47 --------- d-----w c:\program files\Visual MP3 Splitter & Joiner
2008-09-27 19:21 --------- d-----w c:\program files\Common Files\Sony Shared
2008-09-27 14:51 --------- d-----w c:\programdata\Sony Corporation
2008-09-26 12:23 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-09-26 11:58 3,586 ----a-w c:\windows\System32\ealregsnapshot1.reg
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-08 23:03 51,712 ----a-w c:\windows\System32\sirenacm.dll
2008-09-05 21:16 1,900,544 ----a-w c:\windows\System32\usbaaplrc.dll
2008-09-05 14:56 287,744 ----a-w c:\windows\WLXPGSS.SCR
2008-08-29 09:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-03-19 09:55 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Privacy Suite RiskMonitor"="c:\program files\CyberScrub Privacy Suite\CSRiskMon.exe" [2007-11-22 1777296]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-07-18 4608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-10 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-06-12 317560]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-27 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-27 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-06-22 739880]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-03-02 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-07-12 15:33 98304 c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\program files\Common Files\Sony Shared\VideoLib\sonydv.dll
"vidc.K3CC"= K3CCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
"c:\\Nexon\\Combat Arms EU\\CombatArms.exe"= c:\nexon\Combat Arms EU\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms EU\\Engine.exe"= c:\nexon\Combat Arms EU\Engine.exe:*Enabled:Engine.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1C0EA9C8-F40A-4316-AE8B-074DB7442A97}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{F4F15440-9D6E-4164-B884-DBE0D51F4153}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{5BD90F18-8578-4455-BDB3-4C404C8B30B7}"= Disabled:UDP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{757FAD04-FD69-4F2C-A230-3F2F7C5277F0}"= Disabled:TCP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{1755C92B-CD48-40DC-A3E6-2112A76442F6}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{E31D3A90-91B5-4E40-B8AA-E25CACFCB7CD}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{9782B203-50AF-43D2-A719-E4475017EC5F}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{103AB14C-5435-48E1-958F-3AE89E9A4455}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{48DA0F95-E764-41E4-A6F3-2C869813A59D}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{684DB13A-20FB-41E3-B7ED-169125FB31B6}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{E064D5C0-0A2E-4A4F-AA82-AA66060E8529}"= UDP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{177354BF-5DB7-418D-BB5B-89EE39CE4B36}"= TCP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{24149533-7C19-4594-AD4C-F33A4281F9AD}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{4285FC47-311A-42EA-B537-7F7EE1631B3C}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{924BEE4F-E37B-4D3D-AF20-67800D35811B}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{87DBB311-754D-43FA-B97B-B17995D27585}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{005FF211-7668-4A1D-9EA0-6361439816F0}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{C6A61FAB-DAE4-4073-B304-63F00E68B45B}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{46CC18FE-6C31-42D0-B6E4-78838D27052E}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{9F4F6E96-B9FD-439D-89D0-DF1DBAB9126E}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{4102A73C-970F-4159-8F39-EFCBECADF94C}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F6347CA5-F525-4864-AA2F-C37A4479A1B7}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5ECB6C1B-A62E-46CB-A38C-001941120A11}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1B04C0F2-A054-4521-B04C-41F2BDD7844C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{D35ED7E9-7ED7-471A-B1A2-6BFF1DB28FE9}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{BE7FF93A-B804-42A5-806E-BB88E05EEBD3}"= UDP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{994E2142-A38C-4CEF-A381-B039DD0FB711}"= TCP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{882E6BE4-7CC6-47F7-8109-8C936140C151}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{1ADB9DFE-1E26-4F4A-8343-4651A2782907}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{B3D54BBE-BB73-422C-9F19-7905AB6EE248}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E95F184F-7A84-4A3F-8A75-D193FFAE4747}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{CC82B24D-BEE0-4EE3-B48B-EE5FC3C4473A}c:\\users\\kracken\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:c:\users\kracken\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{99E7B492-0428-4819-A6F1-AFDDDE77FE03}c:\\users\\kracken\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:c:\users\kracken\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"TCP Query User{2FC7322F-1CCD-4CBA-86CC-E67708512DCB}c:\\program files\\ea games\\red alert 3 beta\\retailexe\\1.2\\ra3game.dat"= UDP:c:\program files\ea games\red alert 3 beta\retailexe\1.2\ra3game.dat:Command and Conquer Red Alert 3™
"UDP Query User{C74CC50F-1565-4093-AB9C-F214A10CA9E7}c:\\program files\\ea games\\red alert 3 beta\\retailexe\\1.2\\ra3game.dat"= TCP:c:\program files\ea games\red alert 3 beta\retailexe\1.2\ra3game.dat:Command and Conquer Red Alert 3™
"{AEC67399-44B9-4AE2-B629-6568920F9E46}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EFDE9374-25E8-4974-834F-F9E0B9AC8D77}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{BF3CC7EF-D893-4F56-8FDD-B839DB5CE745}f:\\somexploreru.exe"= UDP:F:\somexploreru.exe:SomExploreru
"UDP Query User{E05327D1-CF5E-4925-AD8F-3766032D59DE}f:\\somexploreru.exe"= TCP:F:\somexploreru.exe:SomExploreru
"{F0B8B1D9-4401-40CC-BA29-A0CA7B6FAC5A}"= UDP:c:\programdata\NexonEU\NGM\NGM.exe:Nexon Game Manager
"{1BCDC98C-27FA-42BC-8476-EADD1FA55C97}"= TCP:c:\programdata\NexonEU\NGM\NGM.exe:Nexon Game Manager
"{66DCAF23-7711-4149-A9E2-DEBF1FBD5D84}"= UDP:c:\nexon\Combat Arms EU\NMService.exe:Nexon Messenger Core
"{33F888EE-4915-47AF-ABE6-493A26097BFA}"= TCP:c:\nexon\Combat Arms EU\NMService.exe:Nexon Messenger Core
"{8014B67D-C07C-4FC0-AA58-8CDDC8919D0F}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{7EB3E4CC-B1A8-4CBE-A943-C41180358640}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{A65AC947-421E-41A7-A5C3-233D05F09F19}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{5B1CAC68-FEE0-48B3-BCE0-94425C66D50F}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{F7BEC0B0-0048-42AF-B72A-C54B30EB6D3D}c:\\program files\\activision\\call of duty - world at war beta\\codwawbeta.exe"= UDP:c:\program files\activision\call of duty - world at war beta\codwawbeta.exe:Call of Duty(R): World at War Multiplayer
"UDP Query User{EBCD269D-42D9-4AC3-84B8-FCFD4988F139}c:\\program files\\activision\\call of duty - world at war beta\\codwawbeta.exe"= TCP:c:\program files\activision\call of duty - world at war beta\codwawbeta.exe:Call of Duty(R): World at War Multiplayer
"{A5308325-5F69-4B56-B78B-3380703AA4C6}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{BD39BE57-6A31-47B9-B5C6-8DAA540A0C12}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
"c:\\Nexon\\Combat Arms EU\\CombatArms.exe"= c:\nexon\Combat Arms EU\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms EU\\Engine.exe"= c:\nexon\Combat Arms EU\Engine.exe:*Enabled:Engine.exe

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-02-13 39472]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2008-02-27 144672]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-07-20 75008]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-07-20 43904]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-07-20 812544]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-07-20 28464]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\Drivers\FTD2XX.sys [2008-02-07 34639]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys [2008-05-27 12288]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-08-11 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-08-11 1089536]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;"c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [2008-09-27 333088]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;"c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe" [2008-09-27 87328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - i:\autorun\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0abe0dc7-1513-11dd-935f-001a801849ec}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL h:\website\index.html
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Evidence Eliminator - c:\program files\Evidence Eliminator\ee.exe
HKCU-Run-PhoneDaemon - c:\users\kracken\Downloads\iphone\iPhone PC Suite\PhoneDaemon.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

c:\windows\System32\msvcrt.dll - c:\windows\System32\mfc42.dll
c:\windows\Downloaded Program Files\playershim.dll
c:\windows\Downloaded Program Files\ocx_play.ocx
O16 -: {22055A00-27C0-438B-BF53-44E973A4C48A}
hxxp://video.vividas.com/CDN1/5403_sony_bluray/web/player/vivid_ocx.jpeg
c:\windows\Downloaded Program Files\cab.inf

c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://83.104.226.142/kxhcm10.ocx

c:\windows\Downloaded Program Files\Core.dll - c:\windows\Downloaded Program Files\DigiMeldOcx.ocx
O16 -: {8ACDC08B-DC64-4613-97F2-299B65F66E1D}
hxxp://www.digimeld.com/download/digimeldOcx.CAB
c:\windows\Downloaded Program Files\install.inf

c:\windows\Downloaded Program Files\utilclasses.dll - c:\windows\Downloaded Program Files\rdpstream.dll
c:\windows\Downloaded Program Files\wlcmstscax.dll
c:\windows\Downloaded Program Files\rdpapi.dll
c:\windows\Downloaded Program Files\lkrhwlc.dll
c:\windows\Downloaded Program Files\encoders.dll
c:\windows\Downloaded Program Files\commengine.dll
c:\windows\Downloaded Program Files\blackpipe.dll
c:\windows\Downloaded Program Files\WLCTSCCtl.dll
O16 -: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}
hxxps://www.mesh.com/Install/win32/TSWeb.cab
c:\windows\Downloaded Program Files\TSWeb.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 18:42:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = acaptuser32.dll???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\Crypserv.exe
c:\windows\System32\PnkBstrA.exe
c:\windows\System32\stacsv.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
c:\windows\System32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\windows\System32\rundll32.exe
c:\program files\Nuance\PDF Professional 5\bin\PDFDirect.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-11-27 18:48:09 - machine was rebooted [kracken]
ComboFix-quarantined-files.txt 2008-11-27 18:48:05

Pre-Run: 99,267,272,704 bytes free
Post-Run: 99,230,040,064 bytes free

311 --- E O F --- 2008-10-31 16:06:25

Regards
plasma.d00d

11-27-2008, 11:54 AM	#11 (permalink)
plasma.d00d Registered User Join Date: Nov 2008 Posts: 16 OS: Vista SP1	Re: Infected by TrojanDownloader.Zlob.BXN trojan and a variant of Win32/AutoRun.ABH w Combofix seemed to run better this time , although it did give an error at about stage 10 which was something like .... "windows command processor has stopped working" I guess that was combofix shutting that process down and not actually an error ? (or I could be wrong) Here is the combofix log you requested... ComboFix 08-11-27.01 - kracken 2008-11-27 18:33:54.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1231 [GMT 0:00] Running from: c:\users\kracken\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Autorun.inf C:\resycled . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_Windows Tribute Service -------\Service_Windows Tribute Service ((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 ))))))))))))))))))))))))))))))) . 2008-11-24 19:25 . 2008-11-24 19:25 15,430,656 --a------ c:\windows\System32\imageres.dll 2008-11-24 19:11 . 2008-11-24 19:11 <DIR> d-------- c:\programdata\Stardock 2008-11-24 19:11 . 2008-11-24 19:11 <DIR> d-------- c:\program files\Stardock 2008-11-24 19:11 . 2007-06-05 11:26 567,040 --a------ c:\windows\System32\wbocx.ocx 2008-11-24 19:11 . 2007-06-05 11:26 56,496 --a------ c:\windows\System32\wbhelp2.dll 2008-11-23 12:13 . 2008-11-23 12:13 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-23 12:13 . 2008-11-23 12:13 <DIR> d-------- c:\program files\iPod 2008-11-23 11:04 . 2008-11-23 11:04 410,976 --a------ c:\windows\System32\deploytk.dll 2008-11-08 12:35 . 2008-11-08 12:35 <DIR> d-------- C:\rsit 2008-11-08 11:58 . 2008-11-17 18:36 250 --a------ c:\windows\gmer.ini 2008-11-08 10:59 . 2008-11-08 10:59 <DIR> d-------- c:\program files\Trend Micro 2008-11-08 10:15 . 2003-07-17 09:17 5,174 --a------ c:\windows\System32\nppt9x.vxd 2008-11-08 10:15 . 2005-01-01 00:43 4,682 --a------ c:\windows\System32\npptNT2.sys 2008-11-08 10:10 . 2008-11-08 10:10 <DIR> d-------- c:\program files\Common Files\INCA Shared 2008-11-08 10:07 . 2008-11-08 10:07 <DIR> d-------- c:\program files\G4box 2008-10-30 19:00 . 2008-08-12 03:39 443,392 --a------ c:\windows\System32\win32spl.dll 2008-10-30 19:00 . 2008-09-18 04:56 147,456 --a------ c:\windows\System32\Faultrep.dll 2008-10-30 19:00 . 2008-09-18 04:56 125,952 --a------ c:\windows\System32\wersvc.dll 2008-10-28 20:56 . 2008-10-28 20:56 <DIR> d--h----- c:\windows\msdownld.tmp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-27 17:31 --------- d-----w c:\program files\ESET 2008-11-27 17:19 53,248 ----a-w c:\windows\System32\zlib.dll 2008-11-23 12:13 --------- d-----w c:\program files\iTunes 2008-11-23 12:13 --------- d-----w c:\program files\Common Files\Apple 2008-11-23 12:11 --------- d-----w c:\program files\QuickTime 2008-11-23 12:06 --------- d-----w c:\program files\Safari 2008-11-23 11:04 --------- d-----w c:\program files\Java 2008-11-15 20:45 107,789 ----a-w c:\users\kracken\AppData\Roaming\nvModes.dat 2008-11-11 20:37 --------- d-----w c:\users\kracken\AppData\Roaming\GrabIt 2008-11-07 19:49 --------- d-----w c:\users\kracken\AppData\Roaming\IGN_DLM 2008-10-31 16:08 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-28 21:07 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-10-28 21:07 111,928 ----a-w c:\windows\System32\PnkBstrB.exe 2008-10-28 20:43 682,280 ----a-w c:\windows\System32\pbsvc.exe 2008-10-28 20:43 22,328 ----a-w c:\users\kracken\AppData\Roaming\PnkBstrK.sys 2008-10-28 12:01 --------- d-----w c:\programdata\NexonEU 2008-10-27 07:02 --------- d-----w c:\program files\Sony 2008-10-26 21:32 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-26 21:31 --------- d-----w c:\program files\Windows Mail 2008-10-26 21:30 --------- d-----w c:\programdata\Microsoft Help 2008-10-25 14:16 --------- d-----w c:\program files\Axialis 2008-10-25 09:51 --------- d-----w c:\program files\Download Manager 2008-10-22 11:34 --------- d-----w c:\program files\Windows Live 2008-10-22 11:33 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition 2008-10-22 11:31 --------- d-----w c:\program files\Microsoft 2008-10-22 11:28 --------- d-----w c:\program files\Common Files\Windows Live 2008-10-11 12:13 --------- d-----w c:\program files\Active Data Recovery Software 2008-10-11 12:09 --------- d-----w c:\program files\Data Doctor Recovery FAT+NTFS 2008-10-11 11:54 --------- d-----w c:\program files\Ontrack 2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll 2008-10-01 12:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys 2008-09-28 19:47 --------- d-----w c:\program files\Visual MP3 Splitter & Joiner 2008-09-27 19:21 --------- d-----w c:\program files\Common Files\Sony Shared 2008-09-27 14:51 --------- d-----w c:\programdata\Sony Corporation 2008-09-26 12:23 107,888 ----a-w c:\windows\System32\CmdLineExt.dll 2008-09-26 11:58 3,586 ----a-w c:\windows\System32\ealregsnapshot1.reg 2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe 2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe 2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys 2008-09-08 23:03 51,712 ----a-w c:\windows\System32\sirenacm.dll 2008-09-05 21:16 1,900,544 ----a-w c:\windows\System32\usbaaplrc.dll 2008-09-05 14:56 287,744 ----a-w c:\windows\WLXPGSS.SCR 2008-08-29 09:18 87,336 ----a-w c:\windows\System32\dns-sd.exe 2008-08-29 08:53 61,440 ----a-w c:\windows\System32\dnssd.dll 2008-03-19 09:55 174 --sha-w c:\program files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "Privacy Suite RiskMonitor"="c:\program files\CyberScrub Privacy Suite\CSRiskMon.exe" [2007-11-22 1777296] "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-07-18 4608] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-10 118784] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-06-12 317560] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600] "CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936] "PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-02-27 795936] "PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-02-27 58656] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920] "Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-06-22 739880] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-03-02 789008] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2007-07-12 15:33 98304 c:\windows\System32\VESWinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=acaptuser32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.dvsd"= c:\program files\Common Files\Sony Shared\VideoLib\sonydv.dll "vidc.K3CC"= K3CCodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List] "c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe::Enabled:FlashFXP v3 "c:\\Nexon\\Combat Arms EU\\CombatArms.exe"= c:\nexon\Combat Arms EU\CombatArms.exe:Enabled:CombatArms.exe "c:\\Nexon\\Combat Arms EU\\Engine.exe"= c:\nexon\Combat Arms EU\Engine.exe:Enabled:Engine.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{1C0EA9C8-F40A-4316-AE8B-074DB7442A97}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk "{F4F15440-9D6E-4164-B884-DBE0D51F4153}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk "{5BD90F18-8578-4455-BDB3-4C404C8B30B7}"= Disabled:UDP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media "{757FAD04-FD69-4F2C-A230-3F2F7C5277F0}"= Disabled:TCP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media "{1755C92B-CD48-40DC-A3E6-2112A76442F6}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server "{E31D3A90-91B5-4E40-B8AA-E25CACFCB7CD}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 5.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server "{9782B203-50AF-43D2-A719-E4475017EC5F}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA "{103AB14C-5435-48E1-958F-3AE89E9A4455}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA "{48DA0F95-E764-41E4-A6F3-2C869813A59D}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB "{684DB13A-20FB-41E3-B7ED-169125FB31B6}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB "{E064D5C0-0A2E-4A4F-AA82-AA66060E8529}"= UDP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3 "{177354BF-5DB7-418D-BB5B-89EE39CE4B36}"= TCP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3 "{24149533-7C19-4594-AD4C-F33A4281F9AD}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict "{4285FC47-311A-42EA-B537-7F7EE1631B3C}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict "{924BEE4F-E37B-4D3D-AF20-67800D35811B}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only "{87DBB311-754D-43FA-B97B-B17995D27585}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only "{005FF211-7668-4A1D-9EA0-6361439816F0}"= UDP:c:\program files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server "{C6A61FAB-DAE4-4073-B304-63F00E68B45B}"= TCP:c:\program files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server "{46CC18FE-6C31-42D0-B6E4-78838D27052E}"= TCP:6004\|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{9F4F6E96-B9FD-439D-89D0-DF1DBAB9126E}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{4102A73C-970F-4159-8F39-EFCBECADF94C}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{F6347CA5-F525-4864-AA2F-C37A4479A1B7}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{5ECB6C1B-A62E-46CB-A38C-001941120A11}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "TCP Query User{1B04C0F2-A054-4521-B04C-41F2BDD7844C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{D35ED7E9-7ED7-471A-B1A2-6BFF1DB28FE9}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "{BE7FF93A-B804-42A5-806E-BB88E05EEBD3}"= UDP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media "{994E2142-A38C-4CEF-A381-B039DD0FB711}"= TCP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media "{882E6BE4-7CC6-47F7-8109-8C936140C151}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{1ADB9DFE-1E26-4F4A-8343-4651A2782907}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{B3D54BBE-BB73-422C-9F19-7905AB6EE248}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{E95F184F-7A84-4A3F-8A75-D193FFAE4747}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "TCP Query User{CC82B24D-BEE0-4EE3-B48B-EE5FC3C4473A}c:\\users\\kracken\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:c:\users\kracken\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe "UDP Query User{99E7B492-0428-4819-A6F1-AFDDDE77FE03}c:\\users\\kracken\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:c:\users\kracken\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe "TCP Query User{2FC7322F-1CCD-4CBA-86CC-E67708512DCB}c:\\program files\\ea games\\red alert 3 beta\\retailexe\\1.2\\ra3game.dat"= UDP:c:\program files\ea games\red alert 3 beta\retailexe\1.2\ra3game.dat:Command and Conquer Red Alert 3™ "UDP Query User{C74CC50F-1565-4093-AB9C-F214A10CA9E7}c:\\program files\\ea games\\red alert 3 beta\\retailexe\\1.2\\ra3game.dat"= TCP:c:\program files\ea games\red alert 3 beta\retailexe\1.2\ra3game.dat:Command and Conquer Red Alert 3™ "{AEC67399-44B9-4AE2-B629-6568920F9E46}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{EFDE9374-25E8-4974-834F-F9E0B9AC8D77}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "TCP Query User{BF3CC7EF-D893-4F56-8FDD-B839DB5CE745}f:\\somexploreru.exe"= UDP:F:\somexploreru.exe:SomExploreru "UDP Query User{E05327D1-CF5E-4925-AD8F-3766032D59DE}f:\\somexploreru.exe"= TCP:F:\somexploreru.exe:SomExploreru "{F0B8B1D9-4401-40CC-BA29-A0CA7B6FAC5A}"= UDP:c:\programdata\NexonEU\NGM\NGM.exe:Nexon Game Manager "{1BCDC98C-27FA-42BC-8476-EADD1FA55C97}"= TCP:c:\programdata\NexonEU\NGM\NGM.exe:Nexon Game Manager "{66DCAF23-7711-4149-A9E2-DEBF1FBD5D84}"= UDP:c:\nexon\Combat Arms EU\NMService.exe:Nexon Messenger Core "{33F888EE-4915-47AF-ABE6-493A26097BFA}"= TCP:c:\nexon\Combat Arms EU\NMService.exe:Nexon Messenger Core "{8014B67D-C07C-4FC0-AA58-8CDDC8919D0F}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA "{7EB3E4CC-B1A8-4CBE-A943-C41180358640}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA "{A65AC947-421E-41A7-A5C3-233D05F09F19}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB "{5B1CAC68-FEE0-48B3-BCE0-94425C66D50F}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB "TCP Query User{F7BEC0B0-0048-42AF-B72A-C54B30EB6D3D}c:\\program files\\activision\\call of duty - world at war beta\\codwawbeta.exe"= UDP:c:\program files\activision\call of duty - world at war beta\codwawbeta.exe:Call of Duty(R): World at War Multiplayer "UDP Query User{EBCD269D-42D9-4AC3-84B8-FCFD4988F139}c:\\program files\\activision\\call of duty - world at war beta\\codwawbeta.exe"= TCP:c:\program files\activision\call of duty - world at war beta\codwawbeta.exe:Call of Duty(R): World at War Multiplayer "{A5308325-5F69-4B56-B78B-3380703AA4C6}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{BD39BE57-6A31-47B9-B5C6-8DAA540A0C12}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe::Enabled:FlashFXP v3 "c:\\Nexon\\Combat Arms EU\\CombatArms.exe"= c:\nexon\Combat Arms EU\CombatArms.exe:Enabled:CombatArms.exe "c:\\Nexon\\Combat Arms EU\\Engine.exe"= c:\nexon\Combat Arms EU\Engine.exe:Enabled:Engine.exe R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-02-13 39472] R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2008-02-27 144672] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032] R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-07-20 75008] R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-07-20 43904] R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-07-20 812544] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-07-20 28464] S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\Drivers\FTD2XX.sys [2008-02-07 34639] S3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys [2008-05-27 12288] S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-08-11 745472] S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" [] S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-08-11 1089536] S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;"c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [2008-09-27 333088] S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;"c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe" [2008-09-27 87328] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \shell\AutoRun\command - i:\autorun\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0abe0dc7-1513-11dd-935f-001a801849ec}] \shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL h:\website\index.html . - - - - ORPHANS REMOVED - - - - HKCU-Run-Evidence Eliminator - c:\program files\Evidence Eliminator\ee.exe HKCU-Run-PhoneDaemon - c:\users\kracken\Downloads\iphone\iPhone PC Suite\PhoneDaemon.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyOverride = .local IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Open with Nuance PDF Converter 5.0 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100 IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm c:\windows\System32\msvcrt.dll - c:\windows\System32\mfc42.dll c:\windows\Downloaded Program Files\playershim.dll c:\windows\Downloaded Program Files\ocx_play.ocx O16 -: {22055A00-27C0-438B-BF53-44E973A4C48A} hxxp://video.vividas.com/CDN1/5403_sony_bluray/web/player/vivid_ocx.jpeg c:\windows\Downloaded Program Files\cab.inf c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D} hxxp://83.104.226.142/kxhcm10.ocx c:\windows\Downloaded Program Files\Core.dll - c:\windows\Downloaded Program Files\DigiMeldOcx.ocx O16 -: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} hxxp://www.digimeld.com/download/digimeldOcx.CAB c:\windows\Downloaded Program Files\install.inf c:\windows\Downloaded Program Files\utilclasses.dll - c:\windows\Downloaded Program Files\rdpstream.dll c:\windows\Downloaded Program Files\wlcmstscax.dll c:\windows\Downloaded Program Files\rdpapi.dll c:\windows\Downloaded Program Files\lkrhwlc.dll c:\windows\Downloaded Program Files\encoders.dll c:\windows\Downloaded Program Files\commengine.dll c:\windows\Downloaded Program Files\blackpipe.dll c:\windows\Downloaded Program Files\WLCTSCCtl.dll O16 -: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} hxxps://www.mesh.com/Install/win32/TSWeb.cab c:\windows\Downloaded Program Files\TSWeb.inf . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-27 18:42:20 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs = acaptuser32.dll??? scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\audiodg.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\Crypserv.exe c:\windows\System32\PnkBstrA.exe c:\windows\System32\stacsv.exe c:\program files\Sony\VAIO Event Service\VESMgr.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe c:\windows\System32\drivers\XAudio.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe c:\program files\Sony\VAIO Event Service\VESMgrSub.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe c:\windows\System32\WUDFHost.exe c:\program files\Sony\VAIO Power Management\SPMgr.exe c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe c:\windows\System32\rundll32.exe c:\program files\Apoint\ApMsgFwd.exe c:\windows\System32\rundll32.exe c:\program files\Nuance\PDF Professional 5\bin\PDFDirect.exe c:\windows\ehome\ehmsas.exe c:\program files\Common Files\Nero\Lib\NMIndexingService.exe c:\program files\Apoint\ApntEx.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe . ************************************************************************ . Completion time: 2008-11-27 18:48:09 - machine was rebooted [kracken] ComboFix-quarantined-files.txt 2008-11-27 18:48:05 Pre-Run: 99,267,272,704 bytes free Post-Run: 99,230,040,064 bytes free 311 --- E O F --- 2008-10-31 16:06:25 Regards plasma.d00d Last edited by plasma.d00d; 11-27-2008 at 11:56 AM.