Quote:
Originally Posted by sUBs
Did Creative's Control Panel applet used to load on startup before running ComboFix?
|
Yes, it did used to load. This computer never had any other OS installed on it before XP SP2. Not sure about why this was like that.
So I should get rid of the old shortcut I had to "C:\Program Files\Internet Explorer\iexplore.exe" and use the one that ComboFix put on my desktop instead?
I ran the ComboFix script and Kaspersky is updating and preparing to run now.
Here's the log of the second run of ComboFix using the script you provided:
ComboFix 08-12-01.01 - 10011 2008-12-01 16:10:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1128 [GMT -8:00]
Running from: c:\documents and settings\10011\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\10011\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\10011\Application Data\GetModule
.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.
2008-12-01 11:43 . 2008-12-01 11:52 250 --a------ c:\windows\gmer.ini
2008-12-01 10:14 . 2008-12-01 10:14 173 --a------ c:\windows\wininit.ini
2008-12-01 03:57 . 2008-12-01 03:57 <DIR> d-------- c:\program files\Lavasoft
2008-12-01 03:57 . 2008-12-01 04:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 03:55 . 2008-12-01 03:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-01 03:52 . 2008-12-01 10:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-01 03:52 . 2008-12-01 10:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 13:03 . 2008-11-22 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-11-22 13:02 . 2008-11-22 13:02 0 --a------ c:\windows\ativpsrm.bin
2008-11-22 12:59 . 2008-12-01 03:45 <DIR> d-------- c:\program files\ATI
2008-11-22 12:46 . 2008-11-22 12:46 <DIR> d-------- C:\ATI
2008-11-22 11:34 . 2008-11-22 11:35 <DIR> d-------- c:\program files\7-Zip
2008-11-22 11:31 . 2008-11-24 17:25 <DIR> d-------- c:\program files\Steam
2008-11-20 12:44 . 2008-11-20 12:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-17 14:22 . 2008-11-17 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-11 12:26 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:25 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 19:21 8,142 -c--a-w c:\windows\system32\ealregsnapshot1.reg
2008-12-01 19:20 --------- d-----w c:\documents and settings\10011\Application Data\U3
2008-12-01 18:19 --------- d-----w c:\program files\Xfire
2008-12-01 12:40 --------- d-----w c:\documents and settings\10011\Application Data\Azureus
2008-12-01 11:20 --------- d-----w c:\documents and settings\10011\Application Data\Xfire
2008-11-25 23:16 --------- d-----w c:\documents and settings\10011\Application Data\gtk-2.0
2008-11-23 18:14 --------- d-----w c:\program files\Folding@Home
2008-11-22 21:03 --------- d-----w c:\documents and settings\10011\Application Data\ATI
2008-11-22 20:58 --------- d-----w c:\program files\ATI Technologies
2008-11-22 20:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 19:42 --------- d-----w c:\program files\Azureus
2008-11-20 04:10 --------- d-----w c:\program files\Trend Micro
2008-11-17 22:23 --------- d-----w c:\program files\AIM6
2008-11-17 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-17 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-16 23:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-02 01:09 --------- d-----w c:\documents and settings\10011\Application Data\Red Alert 3
2008-11-01 01:20 --------- d-----w c:\program files\Bethesda Softworks
2008-10-31 06:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-29 05:05 593,920 ----a-w c:\windows\system32\ati2sgag.exe
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-28 17:54 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-28 17:54 --------- d-----w c:\program files\Java
2008-10-25 18:34 --------- d-----w c:\program files\Electronic Arts
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 23:15 --------- d-----w c:\program files\Starcraft
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:56 --------- d-----w c:\documents and settings\10011\Application Data\Sites
2008-10-16 20:56 --------- d-----w c:\documents and settings\10011\Application Data\SiteClasses
2008-10-11 16:57 --------- d-----w c:\program files\SanrioTown
2008-10-04 18:44 --------- d-----w c:\documents and settings\10011\Application Data\SPORE
2008-10-03 00:40 --------- d-----w c:\documents and settings\10011\Application Data\Bioshock
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-11 16:27 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-05-02 17:28 22,328 ----a-w c:\documents and settings\10011\Application Data\PnkBstrK.sys
2004-03-16 01:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 18:32 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 17:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.
((((((((((((((((((((((((((((( snapshot@2008-12-01_14.38.46.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-01 22:56:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_83c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-13 363008]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-28 3429904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-28 136600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]
c:\documents and settings\10011\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Folding@Home 5.03.lnk - c:\program files\Folding@Home\winFAH.exe [2007-09-15 323584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebXQihe]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Visicom Media\\AceFTP 3 Freeware\\Aceftp3free.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-02-21 4096]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sAUTODESKVAULT [2008-02-26 29183504]
R2 mxssvr;NI Configuration Manager;"c:\program files\National Instruments\MAX\nimxs.exe" [2007-02-22 12696]
R2 NITaggerService;National Instruments Variable Engine;"c:\program files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-02-06 703264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-28 24652]
R3 cm102u32;C-Media CM6501 Like Sound Interface;c:\windows\system32\drivers\c6501.sys [2007-09-15 1419968]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b89869d2-71fa-11dc-8177-0018f30d24bf}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{C70B421F-A5D8-4D0E-A525-49A0C9C0FAB3} - (no file)
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-01 16:13:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-01 16:15:49
ComboFix-quarantined-files.txt 2008-12-02 00:14:33
ComboFix2.txt 2008-12-01 22:39:04
Pre-Run: 8,421,052,416 bytes free
Post-Run: 8,454,119,424 bytes free
201 --- E O F --- 2008-11-11 22:24:43