Thread: Really wierd problem with browsers and other things.
View Single Post
Old 12-06-2008, 08:12 PM   #7 (permalink)
rabidGopher
Registered User
 
Join Date: Dec 2008
Posts: 14
OS: xp service pack 2


Re: Really wierd problem with browsers and other things.
Here's the ComboFix log.


ComboFix 08-12-06.04 - Owner 2008-12-06 21:02:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1543 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
c:\documents and settings\owner\.exe
c:\windows\1.ini
c:\windows\syscheck
c:\windows\system32\wow71_724.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\owner\.exe
c:\documents and settings\Owner\Favorites\Online Security Test.url
c:\program files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
c:\program files\INSTALL.LOG
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\020C657B
c:\program files\Need2Find\bar\Cache\files.ini
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\windows\1.ini
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\IE4 Error Log.txt
c:\windows\syscheck
c:\windows\system32\209789
c:\windows\system32\AdCache
c:\windows\system32\cache329
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\regperf.exe
c:\windows\system32\taskmagr.exe
c:\windows\system32\tIVqt6m1.exe.a_a
c:\windows\system32\wmdmpmsvc.dll
c:\windows\system32\wow71_724.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-03 03:53 . 2008-12-06 17:05 250 --a------ c:\windows\gmer.ini
2008-12-02 22:00 . 2008-12-02 22:00 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 15:59 . 2007-03-07 17:51 129,784 --------- c:\windows\system32\pxafs.dll
2008-12-02 15:58 . 2008-12-06 13:41 <DIR> d-------- c:\program files\Winamp
2008-12-02 15:58 . 2008-12-06 13:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Winamp
2008-12-01 04:58 . 2008-12-01 04:58 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\EmailNotifier
2008-11-11 19:02 . 2008-11-11 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 19:41 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-06 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-12-05 21:02 --------- d-----w c:\program files\FlashGet
2008-12-05 07:00 --------- d-----w c:\program files\Warcraft III
2008-12-03 09:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 21:55 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield Installation Information
2008-11-21 01:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 00:05 --------- d-----w c:\program files\Steam
2008-11-11 23:10 --------- d-----w c:\program files\Starcraft
2008-11-07 02:17 --------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2008-11-07 02:05 --------- d-----w c:\program files\mIRC
2008-11-04 03:34 --------- d-----w c:\program files\QuickTime
2008-11-04 03:34 --------- d-----w c:\program files\Apple Software Update
2008-11-04 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-04 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-04 02:49 137,480 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-02 02:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-02 02:43 --------- d-----w c:\program files\AGEIA Technologies
2008-11-02 02:25 --------- d-----w c:\documents and settings\Owner\Application Data\Hamachi
2008-11-02 02:07 --------- d-----w c:\documents and settings\Owner\Application Data\HamachiBackup
2008-11-02 02:03 --------- d-----w c:\program files\Hamachi
2008-11-02 02:02 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2008-11-02 02:00 --------- d-----w c:\documents and settings\Owner\Application Data\Red Alert 3
2008-10-14 02:05 94,208 ----a-w c:\windows\ScUnin.exe
2008-10-09 01:03 --------- d-----w c:\documents and settings\Owner\Application Data\GarageGames
2008-10-07 19:33 6,133,856 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-05-19 11:54 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-05-19 11:52 103,736 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrB.exe
2006-06-06 05:44 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-09-26 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-18 185896]
"McRegWiz"="c:\progra~1\mcafee.com\agent\mcregwiz.exe" [2005-06-01 368714]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-03 413696]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
VirtuaGirl HD.LNK - c:\program files\vghd\vghd.exe [2008-09-11 11875648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-11 692224]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2007-09-19 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.WMV3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-11-11 16:00 1005096 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Windows NT\\Accessories\\bin.dll\\CoD4\\iw3mp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Sega\\Gas Powered Games\\Space Siege Demo\\SpaceSiege.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

S2 wowsystemcode123;Remote TCP/IP;c:\windows\System32\svchost.exe -k netsvcs [2005-01-09 14336]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-09-05 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2007-09-19 362944]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys []
S3 XDva052;XDva052;\??\c:\windows\system32\XDva052.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wowsystemcode123

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]
\Shell\AutoRun\command - P:\autorun.exe
\Shell\readit\command - notepad readme.doc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - Q:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\R]
\Shell\AutoRun\command - R:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7855b9a1-9814-11da-9eba-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3053969-9822-11da-b84e-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\At25.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At26.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At27.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At28.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At29.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At30.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At31.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At32.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At33.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At34.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At35.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At36.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At37.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At38.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At39.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At40.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At41.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At42.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At43.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At44.job
- c:\windows\system32\763KIsN3.exe []

2008-12-07 c:\windows\Tasks\At45.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At46.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At47.job
- c:\windows\system32\763KIsN3.exe []

2008-12-06 c:\windows\Tasks\At48.job
- c:\windows\system32\763KIsN3.exe []

2006-05-30 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 13:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C672F4AB-780B-45C0-BAEC-91F455C86F8D} - c:\program files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
Toolbar-{2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - c:\program files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
WebBrowser-{2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - c:\program files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKCU-Run-ResChanger 2005 - c:\program files\ResChanger 2005\ResChanger2005.exe
HKLM-Run-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
HKLM-Run-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
HKLM-Run-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
SharedTaskScheduler-fairydom - (no file)
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk -
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\as87lwi1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT693181&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gamefaqs.com/boards/genmessage.php?board=945075&topic=45164388
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\as87lwi1.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 21:05:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\program files\McAfee.com\Agent\mcregwiz.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee.com\Shared\mghtml.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\vghd\VirtuaGirl_Downloader.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-06 21:08:16 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-12-07 03:08:14

Pre-Run: 35,514,687,488 bytes free
Post-Run: 47,114,698,752 bytes free

301
Attached Files
File Type: txt ComboFix.txt (17.3 KB, 1 views)
Last edited by sUBs; 12-06-2008 at 08:14 PM.
rabidGopher is offline