Tech Support Forum - View Single Post

robbb · 11-28-2008, 06:39 PM

Here is the combofix.log Please tell me if there is a problem with rootkit virus. Thx ComboFix 08-11-28.02 - Harry 2008-11-28 15:58:23.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.185 [GMT -8:00]
Running from: c:\users\Harry\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\resycled
c:\windows\system32\AutoRun.inf
c:\windows\system32\x64
D:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Windows Tribute Service

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-21 09:00 . 2008-11-21 10:29 <DIR> d-------- C:\rsit
2008-11-20 16:04 . 2008-11-21 08:39 250 --a------ c:\windows\gmer.ini
2008-11-20 09:08 . 2008-11-20 09:08 <DIR> d-------- c:\users\All Users\Windows Genuine Advantage
2008-11-20 07:32 . 2008-09-17 20:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-11-20 07:32 . 2008-09-17 20:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-11-19 19:01 . 2008-09-09 19:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-19 19:01 . 2008-09-04 21:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-19 19:01 . 2008-08-26 17:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-19 14:03 . 2008-11-19 14:05 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-18 16:07 . 2008-11-18 16:07 99 --a------ c:\windows\WININIT.INI
2008-11-17 21:19 . 2008-11-17 21:19 148,296 --ah----- c:\windows\System32\mlfcache.dat
2008-11-13 15:19 . 2008-11-13 15:19 <DIR> d-------- c:\program files\Alwil Software
2008-11-13 15:19 . 2008-11-18 10:02 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2008-11-12 13:40 . 2008-11-12 13:40 18,430 --a------ c:\windows\System32\threat437y.klg
2008-11-12 08:52 . 2008-11-12 08:52 29,192 --a------ c:\windows\System32\drivers\ndisprot.sys
2008-11-08 11:01 . 2008-11-08 11:01 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-08 11:01 . 2008-11-08 11:01 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-08 11:01 . 2008-11-08 11:01 <DIR> d-------- c:\program files\iTunes
2008-10-29 07:23 . 2008-08-11 19:39 443,392 --a------ c:\windows\System32\win32spl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 23:38 --------- d-----w c:\users\Harry\AppData\Roaming\Skype
2008-11-28 20:38 --------- d-----w c:\users\Harry\AppData\Roaming\skypePM
2008-11-15 19:13 --------- d-----w c:\program files\Safari
2008-11-14 23:44 --------- d-----w c:\users\Harry\AppData\Roaming\uTorrent
2008-11-12 21:41 5,950 ----a-w c:\windows\System32\866_data.zip
2008-11-12 21:41 5,394 ----a-w c:\windows\System32\images875.zip
2008-11-12 21:41 4,401 ----a-w c:\windows\System32\uninstall2b4.bin
2008-11-12 21:41 3,845 ----a-w c:\windows\System32\701_data.bin
2008-11-12 21:41 3,288 ----a-w c:\windows\System32\709part.bin
2008-11-08 19:01 --------- d-----w c:\program files\iPod
2008-10-22 15:27 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-28 17:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-28 17:23 --------- d-----w c:\programdata\PC Drivers HeadQuarters
2008-09-28 17:23 --------- d-----w c:\program files\PC Drivers HeadQuarters
2008-09-28 15:58 --------- d-----w c:\program files\TeVeo
2008-09-28 15:58 --------- d-----w c:\program files\HomeConnect
2008-09-28 15:58 --------- d-----w c:\program files\3Com PC Digital WebCam Lite
2008-09-28 15:56 --------- d-----w c:\program files\ArcSoft
2008-09-24 21:47 32 ----a-w c:\users\All Users\ezsid.dat
2008-09-24 21:47 32 ----a-w c:\programdata\ezsid.dat
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-08-29 17:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 16:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-05-26 21:20 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-15 768520]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-05 c:\windows\RtHDVCpl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-06-17 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VQC2"= vqdecode.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2202586810-2236196959-55598472-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{55FA8D98-00EE-46D4-80F6-B2FE8E7C8C8D}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{EF222906-87A4-4828-9F6B-D7BB099B5C73}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{4C9D47C0-EEF7-4203-8B67-FB56A04C48B9}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{1055584B-7CE5-4C0D-85DF-5830B30182F0}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{B865A331-0198-4E67-8AB0-0829040F707B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FFF9EBCC-F1FB-45DC-A85F-F986FB6DFA59}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{EC433046-11D0-4C16-948F-AAA0FE160F72}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{C9845F71-2301-405D-A405-D60128F455DB}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{F0640AF7-F4F7-4C1B-9DA5-EA1EBD3AB2E9}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"TCP Query User{DB0664D2-A1A6-486E-8BBA-FD2DBCBF0AB2}c:\\program files\\shareaza\\shareaza.exe"= UDP:c:\program files\shareaza\shareaza.exe:Shareaza Ultimate File Sharing
"UDP Query User{2EF4F163-0111-4EC1-AB90-96EFF4C4DFC0}c:\\program files\\shareaza\\shareaza.exe"= TCP:c:\program files\shareaza\shareaza.exe:Shareaza Ultimate File Sharing
"{7BFC3039-AB90-4AEB-A59A-DE1B444497C4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{BB4D9FCB-E215-4CC6-B3FB-D05D07E2FEDA}c:\\phxtitanium\\mirc.exe"= UDP:c:\phxtitanium\mirc.exe:mIRC
"UDP Query User{14678838-5BBC-4097-A30C-1E739A06C787}c:\\phxtitanium\\mirc.exe"= TCP:c:\phxtitanium\mirc.exe:mIRC
"TCP Query User{DC0F1FF8-FBDE-4F12-9B98-70DC911A8336}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{7B61C991-3D70-475B-9FE7-0F40A9A4AF14}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{32C6FF70-D9C1-428E-AEF0-C3BE9CF98489}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{411CF3C9-C0AC-433E-90BE-37AF673168F4}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{B2585D51-7E54-4418-B10A-C01BAC8D0A28}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8CBBA1D2-A23C-4116-B33F-6B496DBA0D22}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{96EEF867-F77D-4BDC-B377-12ADC8E9785E}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{8B0F8C26-6FD7-413A-9012-ABB6100B29D2}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{A64CEFBF-EDDA-4D10-A350-B6F0F232D294}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{03E89DC8-49E5-46D1-A07F-8ADEF55CC440}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2033C4F4-F2FD-4B43-A03F-5DA2EFDDAF65}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{ADDEDCE4-DA61-48FE-AE43-5E1723DA809D}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{21747B56-E846-4A14-80E0-E61321466985}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{F240B5A1-B302-4AB8-AA33-4D047B7BB7C0}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{6714E47D-9404-4699-A103-1BEE5858A661}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{4A1789C4-56D9-4ACB-BC23-40D77F80DAD7}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{34992DA2-912F-4181-96D8-64F05B4DD3FE}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"TCP Query User{C4A21DFB-45CF-47CA-AA02-16F8474D5EFD}c:\\program files\\teveo\\teveolive\\teveolive.exe"= UDP:c:\program files\teveo\teveolive\teveolive.exe:TeVeoLive
"UDP Query User{0D709E88-B35D-4C78-861D-9DDB079D3C35}c:\\program files\\teveo\\teveolive\\teveolive.exe"= TCP:c:\program files\teveo\teveolive\teveolive.exe:TeVeoLive
"{73EBF954-74AA-483B-B740-BDB9E37A8553}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{52D3A59C-E299-49A1-89BF-2674502734CB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-13 110160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-26 97928]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2008-01-27 11:59:37 13560]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-13 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-11-13 51792]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-05-26 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-26 231704]
R3 AvgWfpX;AVG8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-05-26 69128]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-25 179712]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-12 29192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-01-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 16:05:55
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\users\Harry\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3332)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\conime.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Mobility Center\MobilityService.exe
c:\users\Harry\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\igfxext.exe
c:\windows\System32\drivers\XAudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-11-28 16:12:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 00:12:16

Pre-Run: 15,654,588,416 bytes free
Post-Run: 16,143,761,408 bytes free

238 --- E O F --- 2008-11-27 16:30:28

11-28-2008, 06:39 PM	#5 (permalink)
robbb Registered User Join Date: Nov 2008 Posts: 21 OS: vista home premium	Re: maybe rootkit virus Here is the combofix.log Please tell me if there is a problem with rootkit virus. Thx ComboFix 08-11-28.02 - Harry 2008-11-28 15:58:23.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.185 [GMT -8:00] Running from: c:\users\Harry\Downloads\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\resycled c:\windows\system32\AutoRun.inf c:\windows\system32\x64 D:\resycled . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_Windows Tribute Service ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 ))))))))))))))))))))))))))))))) . 2008-11-21 09:00 . 2008-11-21 10:29 <DIR> d-------- C:\rsit 2008-11-20 16:04 . 2008-11-21 08:39 250 --a------ c:\windows\gmer.ini 2008-11-20 09:08 . 2008-11-20 09:08 <DIR> d-------- c:\users\All Users\Windows Genuine Advantage 2008-11-20 07:32 . 2008-09-17 20:56 147,456 --a------ c:\windows\System32\Faultrep.dll 2008-11-20 07:32 . 2008-09-17 20:56 125,952 --a------ c:\windows\System32\wersvc.dll 2008-11-19 19:01 . 2008-09-09 19:40 1,334,272 --a------ c:\windows\System32\msxml6.dll 2008-11-19 19:01 . 2008-09-04 21:14 1,191,936 --a------ c:\windows\System32\msxml3.dll 2008-11-19 19:01 . 2008-08-26 17:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys 2008-11-19 14:03 . 2008-11-19 14:05 <DIR> d-------- c:\program files\Windows Live Safety Center 2008-11-18 16:07 . 2008-11-18 16:07 99 --a------ c:\windows\WININIT.INI 2008-11-17 21:19 . 2008-11-17 21:19 148,296 --ah----- c:\windows\System32\mlfcache.dat 2008-11-13 15:19 . 2008-11-13 15:19 <DIR> d-------- c:\program files\Alwil Software 2008-11-13 15:19 . 2008-11-18 10:02 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys 2008-11-12 13:40 . 2008-11-12 13:40 18,430 --a------ c:\windows\System32\threat437y.klg 2008-11-12 08:52 . 2008-11-12 08:52 29,192 --a------ c:\windows\System32\drivers\ndisprot.sys 2008-11-08 11:01 . 2008-11-08 11:01 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-08 11:01 . 2008-11-08 11:01 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-08 11:01 . 2008-11-08 11:01 <DIR> d-------- c:\program files\iTunes 2008-10-29 07:23 . 2008-08-11 19:39 443,392 --a------ c:\windows\System32\win32spl.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-28 23:38 --------- d-----w c:\users\Harry\AppData\Roaming\Skype 2008-11-28 20:38 --------- d-----w c:\users\Harry\AppData\Roaming\skypePM 2008-11-15 19:13 --------- d-----w c:\program files\Safari 2008-11-14 23:44 --------- d-----w c:\users\Harry\AppData\Roaming\uTorrent 2008-11-12 21:41 5,950 ----a-w c:\windows\System32\866_data.zip 2008-11-12 21:41 5,394 ----a-w c:\windows\System32\images875.zip 2008-11-12 21:41 4,401 ----a-w c:\windows\System32\uninstall2b4.bin 2008-11-12 21:41 3,845 ----a-w c:\windows\System32\701_data.bin 2008-11-12 21:41 3,288 ----a-w c:\windows\System32\709part.bin 2008-11-08 19:01 --------- d-----w c:\program files\iPod 2008-10-22 15:27 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll 2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll 2008-09-28 17:25 --------- d--h--w c:\program files\InstallShield Installation Information 2008-09-28 17:23 --------- d-----w c:\programdata\PC Drivers HeadQuarters 2008-09-28 17:23 --------- d-----w c:\program files\PC Drivers HeadQuarters 2008-09-28 15:58 --------- d-----w c:\program files\TeVeo 2008-09-28 15:58 --------- d-----w c:\program files\HomeConnect 2008-09-28 15:58 --------- d-----w c:\program files\3Com PC Digital WebCam Lite 2008-09-28 15:56 --------- d-----w c:\program files\ArcSoft 2008-09-24 21:47 32 ----a-w c:\users\All Users\ezsid.dat 2008-09-24 21:47 32 ----a-w c:\programdata\ezsid.dat 2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe 2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe 2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys 2008-08-29 17:18 87,336 ----a-w c:\windows\System32\dns-sd.exe 2008-08-29 16:53 61,440 ----a-w c:\windows\System32\dnssd.dll 2008-05-26 21:20 174 --sha-w c:\program files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216] "PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056] "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-15 768520] "PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952] "Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296] "Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744] "Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000] "RtHDVCpl"="RtHDVCpl.exe" [2007-07-05 c:\windows\RtHDVCpl.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-06-17 113664] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=eNetHook.dll,avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VQC2"= vqdecode.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2202586810-2236196959-55598472-1000] "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{55FA8D98-00EE-46D4-80F6-B2FE8E7C8C8D}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe "{EF222906-87A4-4828-9F6B-D7BB099B5C73}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician "{4C9D47C0-EEF7-4203-8B67-FB56A04C48B9}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia "{1055584B-7CE5-4C0D-85DF-5830B30182F0}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard "{B865A331-0198-4E67-8AB0-0829040F707B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{FFF9EBCC-F1FB-45DC-A85F-F986FB6DFA59}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{EC433046-11D0-4C16-948F-AAA0FE160F72}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine "{C9845F71-2301-405D-A405-D60128F455DB}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie "{F0640AF7-F4F7-4C1B-9DA5-EA1EBD3AB2E9}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program "TCP Query User{DB0664D2-A1A6-486E-8BBA-FD2DBCBF0AB2}c:\\program files\\shareaza\\shareaza.exe"= UDP:c:\program files\shareaza\shareaza.exe:Shareaza Ultimate File Sharing "UDP Query User{2EF4F163-0111-4EC1-AB90-96EFF4C4DFC0}c:\\program files\\shareaza\\shareaza.exe"= TCP:c:\program files\shareaza\shareaza.exe:Shareaza Ultimate File Sharing "{7BFC3039-AB90-4AEB-A59A-DE1B444497C4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "TCP Query User{BB4D9FCB-E215-4CC6-B3FB-D05D07E2FEDA}c:\\phxtitanium\\mirc.exe"= UDP:c:\phxtitanium\mirc.exe:mIRC "UDP Query User{14678838-5BBC-4097-A30C-1E739A06C787}c:\\phxtitanium\\mirc.exe"= TCP:c:\phxtitanium\mirc.exe:mIRC "TCP Query User{DC0F1FF8-FBDE-4F12-9B98-70DC911A8336}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{7B61C991-3D70-475B-9FE7-0F40A9A4AF14}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent "TCP Query User{32C6FF70-D9C1-428E-AEF0-C3BE9CF98489}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{411CF3C9-C0AC-433E-90BE-37AF673168F4}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent "TCP Query User{B2585D51-7E54-4418-B10A-C01BAC8D0A28}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{8CBBA1D2-A23C-4116-B33F-6B496DBA0D22}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "{96EEF867-F77D-4BDC-B377-12ADC8E9785E}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe "{8B0F8C26-6FD7-413A-9012-ABB6100B29D2}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe "{A64CEFBF-EDDA-4D10-A350-B6F0F232D294}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{03E89DC8-49E5-46D1-A07F-8ADEF55CC440}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{2033C4F4-F2FD-4B43-A03F-5DA2EFDDAF65}"= c:\program files\Skype\Phone\Skype.exe:Skype "{ADDEDCE4-DA61-48FE-AE43-5E1723DA809D}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail "{21747B56-E846-4A14-80E0-E61321466985}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail "{F240B5A1-B302-4AB8-AA33-4D047B7BB7C0}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail "{6714E47D-9404-4699-A103-1BEE5858A661}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail "{4A1789C4-56D9-4ACB-BC23-40D77F80DAD7}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail "{34992DA2-912F-4181-96D8-64F05B4DD3FE}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail "TCP Query User{C4A21DFB-45CF-47CA-AA02-16F8474D5EFD}c:\\program files\\teveo\\teveolive\\teveolive.exe"= UDP:c:\program files\teveo\teveolive\teveolive.exe:TeVeoLive "UDP Query User{0D709E88-B35D-4C78-861D-9DDB079D3C35}c:\\program files\\teveo\\teveolive\\teveolive.exe"= TCP:c:\program files\teveo\teveolive\teveolive.exe:TeVeoLive "{73EBF954-74AA-483B-B740-BDB9E37A8553}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{52D3A59C-E299-49A1-89BF-2674502734CB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-13 110160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-26 97928] R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2008-01-27 11:59:37 13560] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-13 20560] R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-11-13 51792] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-05-26 875288] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-26 231704] R3 AvgWfpX;AVG8 Firewall Driver x86;c:\windows\system32\Drivers\avgwfpx.sys [2008-05-26 69128] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-25 179712] S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-12 29192] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2008-01-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-28 16:05:55 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\users\Harry\AppData\Local\Temp\catchme.dll 53248 bytes executable scan completed successfully hidden files: 1 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(3332) c:\windows\system32\MsnChatHook.dll c:\windows\system32\ShowErrMsg.dll c:\windows\system32\sysenv.dll c:\windows\system32\BatchCrypto.dll c:\windows\system32\CryptoAPI.dll c:\windows\system32\keyManager.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\audiodg.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\System32\conime.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Launch Manager\LManager.exe c:\program files\Bonjour\mDNSResponder.exe c:\acer\Empowering Technology\eDataSecurity\eDSService.exe c:\acer\Empowering Technology\eLock\Service\eLockServ.exe c:\program files\AVG\AVG8\avgtray.exe c:\program files\Alwil Software\Avast4\ashDisp.exe c:\acer\Empowering Technology\eNet\eNet Service.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\windows\System32\igfxsrvc.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Apoint2K\ApMsgFwd.exe c:\windows\ehome\ehmsas.exe c:\acer\Mobility Center\MobilityService.exe c:\users\Harry\AppData\Local\Temp\RtkBtMnt.exe c:\program files\Apoint2K\ApntEx.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\windows\System32\igfxext.exe c:\windows\System32\drivers\XAudio.exe c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe c:\acer\Empowering Technology\eSettings\Service\capuserv.exe c:\acer\Empowering Technology\ePower\ePowerSvc.exe c:\windows\System32\wbem\unsecapp.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\iPod\bin\iPodService.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\windows\System32\wbem\WMIADAP.exe . ************************************************************************ . Completion time: 2008-11-28 16:12:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-29 00:12:16 Pre-Run: 15,654,588,416 bytes free Post-Run: 16,143,761,408 bytes free 238 --- E O F --- 2008-11-27 16:30:28