Tech Support Forum - View Single Post

chipnmissy · 04-19-2009, 08:23 PM

Everything seems to be working fine now. Thank you. The files were successfully submitted. This is the last combofix log:

ComboFix 09-04-20.02 - Owner 04/19/2009 22:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.115 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.EXE.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gxvxccounter

.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-19 03:07 . 2007-09-15 19:11 27136 ----a-w c:\windows\system32\PCWizard.cpl
2009-04-19 02:40 . 2009-04-20 00:44 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-04-19 02:40 . 2009-04-19 02:40 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-04-19 02:40 . 2009-04-19 02:40 155384 ----a-w c:\windows\system32\guard32.dll
2009-04-19 02:40 . 2009-04-19 02:40 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-04-17 02:55 . 2008-06-06 16:15 38208 ----a-w c:\windows\system32\drivers\TfSysMon.sys
2009-04-17 02:55 . 2008-06-06 16:15 33088 ----a-w c:\windows\system32\drivers\TfNetMon.sys
2009-04-17 02:55 . 2008-06-06 16:15 12608 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2009-04-17 02:55 . 2008-06-06 16:15 51520 ----a-w c:\windows\system32\drivers\TfFsMon.sys
2009-04-17 02:39 . 2008-12-11 12:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-17 02:39 . 2009-03-06 20:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-17 02:39 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-17 02:39 . 2009-04-20 00:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 02:39 . 2008-12-10 16:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-17 02:39 . 2009-04-17 02:56 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-17 02:39 . 2009-04-17 02:39 -------- d-----w c:\documents and settings\Owner\Application Data\PC Tools
2009-04-14 22:54 . 2009-04-14 22:54 -------- d-----w c:\documents and settings\Owner\.tuxguitar-1.1
2009-04-14 22:49 . 2009-04-14 22:49 1200 ----a-w c:\windows\system32\rzeksfsp.dat
2009-04-11 23:24 . 2009-04-11 23:24 -------- d-----w c:\documents and settings\Owner\Application Data\Unity
2009-04-11 22:54 . 2009-04-11 22:54 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Unity
2009-04-11 17:37 . 2009-04-11 17:38 247494 ----a-w c:\windows\PUZZLES.DAT
2009-04-11 17:24 . 2009-04-11 17:33 30 ----a-w c:\windows\PUZZLES.INI
2009-04-11 17:24 . 1994-09-21 04:00 92208 ----a-w c:\windows\system\WING.DLL
2009-04-07 08:15 . 2009-04-12 01:21 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-07 08:15 . 2009-04-07 08:15 1409 ----a-w c:\windows\QTFont.for
2009-04-06 22:34 . 2009-04-06 22:34 -------- d-----w c:\windows\Sun
2009-04-06 15:58 . 2009-04-06 15:58 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2009-04-06 15:57 . 2009-04-06 15:57 -------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!
2009-04-06 15:56 . 2009-04-06 15:58 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-05 18:41 . 2009-04-05 18:50 72 ----a-w c:\windows\MediaManager.INI
2009-04-05 18:29 . 2009-04-05 18:29 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-05 18:29 . 2009-04-05 18:29 -------- d-----w c:\windows\system32\LogFiles
2009-04-05 17:24 . 2009-04-05 20:06 -------- d-----w c:\documents and settings\Owner\Application Data\FrostWire
2009-04-05 17:23 . 2008-06-10 06:32 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-04 23:47 . 2009-04-12 06:11 -------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-04-04 23:44 . 2009-04-04 23:44 -------- d-----w c:\documents and settings\Owner\Application Data\WinCare2009
2009-04-04 22:18 . 2009-03-11 18:33 354176 ----a-w c:\windows\system32\drivers\supersafer.sys
2009-04-04 22:18 . 2009-03-11 18:33 470528 ----a-w c:\windows\system32\wxmsw28u_html_vc_custom.dll
2009-04-04 22:18 . 2009-03-11 18:33 681472 ----a-w c:\windows\system32\wxmsw28u_adv_vc_custom.dll
2009-04-04 22:18 . 2009-03-11 18:33 118784 ----a-w c:\windows\system32\wxbase28u_xml_vc_custom.dll
2009-04-04 22:18 . 2009-03-11 18:33 1163776 ----a-w c:\windows\system32\wxbase28u_vc_custom.dll
2009-04-04 22:18 . 2009-03-11 18:33 2771968 ----a-w c:\windows\system32\wxmsw28u_core_vc_custom.dll
2009-04-04 17:21 . 2008-10-16 19:09 31768 ----a-w c:\windows\system32\wucltui.dll.mui
2009-04-04 17:21 . 2008-10-16 19:07 23576 ----a-w c:\windows\system32\wuaucpl.cpl.mui
2009-04-04 17:21 . 2008-10-16 19:07 18456 ----a-w c:\windows\system32\wuaueng.dll.mui
2009-04-04 17:21 . 2008-10-16 19:07 23576 ----a-w c:\windows\system32\wuapi.dll.mui
2009-04-04 17:04 . 2009-04-04 17:04 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 00:36 . 2009-04-17 02:39 -------- d-----w c:\program files\Spyware Doctor
2009-04-19 03:07 . 2009-04-19 03:07 -------- d-----w c:\program files\PC Wizard 2008
2009-04-19 02:40 . 2009-04-19 02:40 -------- d-----w c:\program files\COMODO
2009-04-19 00:13 . 2009-04-19 00:13 -------- d-----w c:\program files\Trend Micro
2009-04-18 17:52 . 2009-04-18 17:52 -------- d-----w c:\program files\UNICCodec
2009-04-17 02:40 . 2009-04-17 02:39 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-17 02:34 . 2009-04-17 02:34 -------- d-----w c:\program files\CCleaner
2009-04-14 22:54 . 2009-04-14 22:54 -------- d-----w c:\program files\tuxguitar-1.1
2009-04-14 22:49 . 2009-04-14 22:49 -------- d-----w c:\program files\SFaxTools
2009-04-12 21:27 . 2009-04-12 21:27 -------- d-----w c:\program files\Blockland
2009-04-11 22:54 . 2009-04-11 22:54 -------- d-----w c:\program files\Unity
2009-04-06 20:18 . 2009-04-06 15:56 -------- d-----w c:\program files\Yahoo!
2009-04-05 18:28 . 2009-04-05 18:28 -------- d-----w c:\program files\MP3 Player Utilities 4.19
2009-04-05 17:24 . 2009-04-05 17:21 -------- d-----w c:\program files\AskBarDis
2009-04-05 17:23 . 2009-04-05 17:22 -------- d-----w c:\program files\Java
2009-04-05 17:22 . 2009-04-05 17:22 -------- d-----w c:\program files\Common Files\Java
2009-04-05 17:21 . 2009-04-05 17:21 -------- d-----w c:\program files\AskSearch
2009-04-04 22:18 . 2009-04-04 22:18 -------- d-----w c:\program files\Spotmau
2009-04-04 03:31 . 2005-06-19 22:33 -------- d-----w c:\program files\Warcraft III
2009-04-04 03:27 . 2004-01-22 03:33 -------- d-----w c:\program files\EarthLink TotalAccess
2008-09-22 01:51 . 2004-02-05 22:09 24960 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-11-30 01:32 . 2004-08-29 23:54 0 ---ha-w c:\documents and settings\Owner\hpothb07.dat
2004-05-27 00:42 . 2004-05-27 00:42 0 ---ha-w c:\documents and settings\NetworkService\hpothb07.dat
2004-01-26 23:45 . 2004-01-26 23:44 0 -c-ha-w c:\program files\hpothb07.dat
2004-01-26 23:44 . 2004-01-26 23:44 15628 ---ha-w c:\program files\hpothb07.tif
2003-03-31 12:00 . 2003-04-23 23:52 94784 --sh--w c:\windows\twain.dll
2004-08-04 07:56 . 2003-04-23 23:52 50688 --sh--w c:\windows\twain_32.dll
2004-08-04 07:56 . 2003-04-23 23:52 1028096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2003-04-23 23:52 54784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2003-04-23 23:52 413696 --sha-w c:\windows\system32\msvcp60.dll
2004-08-04 07:56 . 2003-04-23 23:52 343040 --sha-w c:\windows\system32\msvcrt.dll
2004-08-04 07:56 . 2003-04-23 23:52 11776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"showicon2k"="c:\program files\\eM\Bay Reader\Shwicon2k.exe" [2003-07-04 135168]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-04-24 77824]
"SpotmauSecretary"="c:\program files\Spotmau\Desktop_Secretary\Spotmau_S.exe" [2009-03-11 566784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-04-19 1851128]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-05-02 323584]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2003-06-03 496640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2003-4-23 1742384]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 cpuz129;cpuz129;c:\program files\PC Wizard 2008\pcwiz32.sys [2008-01-25 9600]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2008-12-10 64392]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-06-06 33088]
R3 ThreatFire;ThreatFire; [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-06-06 51520]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-06-06 38208]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-04-19 110992]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-04-19 24336]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2008-12-11 159600]
S2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2009-03-11 354176]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-04-23 07:56]

2009-04-14 c:\windows\Tasks\Disk Defragmenter.job
- c:\documents and settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk [2003-04-24 03:48]

2004-09-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8075430597.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

2009-04-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-24 16:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.19\AMVConverter\grab.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1spbq164.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 22:19
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3508902286-1040935473-1732238221-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\guard32.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2009-04-20 22:20
ComboFix-quarantined-files.txt 2009-04-20 02:20
ComboFix2.txt 2009-04-20 00:56

Pre-Run: 148,160,679,936 bytes free
Post-Run: 148,149,035,008 bytes free

206

04-19-2009, 08:23 PM	#5 (permalink)
chipnmissy Registered User Join Date: Apr 2009 Location: vermont Posts: 3 OS: xp	Re: google redirect Everything seems to be working fine now. Thank you. The files were successfully submitted. This is the last combofix log: ComboFix 09-04-20.02 - Owner 04/19/2009 22:17.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.115 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.EXE.exe Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt AV: Spyware Doctor with AntiVirus On-access scanning disabled (Updated) FW: COMODO Firewall disabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\gxvxccounter . ((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 ))))))))))))))))))))))))))))))) . 2009-04-19 03:07 . 2007-09-15 19:11 27136 ----a-w c:\windows\system32\PCWizard.cpl 2009-04-19 02:40 . 2009-04-20 00:44 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo 2009-04-19 02:40 . 2009-04-19 02:40 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys 2009-04-19 02:40 . 2009-04-19 02:40 155384 ----a-w c:\windows\system32\guard32.dll 2009-04-19 02:40 . 2009-04-19 02:40 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys 2009-04-17 02:55 . 2008-06-06 16:15 38208 ----a-w c:\windows\system32\drivers\TfSysMon.sys 2009-04-17 02:55 . 2008-06-06 16:15 33088 ----a-w c:\windows\system32\drivers\TfNetMon.sys 2009-04-17 02:55 . 2008-06-06 16:15 12608 ----a-w c:\windows\system32\drivers\TfKbMon.sys 2009-04-17 02:55 . 2008-06-06 16:15 51520 ----a-w c:\windows\system32\drivers\TfFsMon.sys 2009-04-17 02:39 . 2008-12-11 12:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys 2009-04-17 02:39 . 2009-03-06 20:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys 2009-04-17 02:39 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys 2009-04-17 02:39 . 2009-04-20 00:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-04-17 02:39 . 2008-12-10 16:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys 2009-04-17 02:39 . 2009-04-17 02:56 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools 2009-04-17 02:39 . 2009-04-17 02:39 -------- d-----w c:\documents and settings\Owner\Application Data\PC Tools 2009-04-14 22:54 . 2009-04-14 22:54 -------- d-----w c:\documents and settings\Owner\.tuxguitar-1.1 2009-04-14 22:49 . 2009-04-14 22:49 1200 ----a-w c:\windows\system32\rzeksfsp.dat 2009-04-11 23:24 . 2009-04-11 23:24 -------- d-----w c:\documents and settings\Owner\Application Data\Unity 2009-04-11 22:54 . 2009-04-11 22:54 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Unity 2009-04-11 17:37 . 2009-04-11 17:38 247494 ----a-w c:\windows\PUZZLES.DAT 2009-04-11 17:24 . 2009-04-11 17:33 30 ----a-w c:\windows\PUZZLES.INI 2009-04-11 17:24 . 1994-09-21 04:00 92208 ----a-w c:\windows\system\WING.DLL 2009-04-07 08:15 . 2009-04-12 01:21 54156 ---ha-w c:\windows\QTFont.qfn 2009-04-07 08:15 . 2009-04-07 08:15 1409 ----a-w c:\windows\QTFont.for 2009-04-06 22:34 . 2009-04-06 22:34 -------- d-----w c:\windows\Sun 2009-04-06 15:58 . 2009-04-06 15:58 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Yahoo 2009-04-06 15:57 . 2009-04-06 15:57 -------- d-----w c:\documents and settings\Owner\Application Data\Yahoo! 2009-04-06 15:56 . 2009-04-06 15:58 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-04-05 18:41 . 2009-04-05 18:50 72 ----a-w c:\windows\MediaManager.INI 2009-04-05 18:29 . 2009-04-05 18:29 -------- d-----w c:\windows\system32\drivers\UMDF 2009-04-05 18:29 . 2009-04-05 18:29 -------- d-----w c:\windows\system32\LogFiles 2009-04-05 17:24 . 2009-04-05 20:06 -------- d-----w c:\documents and settings\Owner\Application Data\FrostWire 2009-04-05 17:23 . 2008-06-10 06:32 73728 ----a-w c:\windows\system32\javacpl.cpl 2009-04-04 23:47 . 2009-04-12 06:11 -------- d-----w c:\documents and settings\Owner\Application Data\U3 2009-04-04 23:44 . 2009-04-04 23:44 -------- d-----w c:\documents and settings\Owner\Application Data\WinCare2009 2009-04-04 22:18 . 2009-03-11 18:33 354176 ----a-w c:\windows\system32\drivers\supersafer.sys 2009-04-04 22:18 . 2009-03-11 18:33 470528 ----a-w c:\windows\system32\wxmsw28u_html_vc_custom.dll 2009-04-04 22:18 . 2009-03-11 18:33 681472 ----a-w c:\windows\system32\wxmsw28u_adv_vc_custom.dll 2009-04-04 22:18 . 2009-03-11 18:33 118784 ----a-w c:\windows\system32\wxbase28u_xml_vc_custom.dll 2009-04-04 22:18 . 2009-03-11 18:33 1163776 ----a-w c:\windows\system32\wxbase28u_vc_custom.dll 2009-04-04 22:18 . 2009-03-11 18:33 2771968 ----a-w c:\windows\system32\wxmsw28u_core_vc_custom.dll 2009-04-04 17:21 . 2008-10-16 19:09 31768 ----a-w c:\windows\system32\wucltui.dll.mui 2009-04-04 17:21 . 2008-10-16 19:07 23576 ----a-w c:\windows\system32\wuaucpl.cpl.mui 2009-04-04 17:21 . 2008-10-16 19:07 18456 ----a-w c:\windows\system32\wuaueng.dll.mui 2009-04-04 17:21 . 2008-10-16 19:07 23576 ----a-w c:\windows\system32\wuapi.dll.mui 2009-04-04 17:04 . 2009-04-04 17:04 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Mozilla . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-20 00:36 . 2009-04-17 02:39 -------- d-----w c:\program files\Spyware Doctor 2009-04-19 03:07 . 2009-04-19 03:07 -------- d-----w c:\program files\PC Wizard 2008 2009-04-19 02:40 . 2009-04-19 02:40 -------- d-----w c:\program files\COMODO 2009-04-19 00:13 . 2009-04-19 00:13 -------- d-----w c:\program files\Trend Micro 2009-04-18 17:52 . 2009-04-18 17:52 -------- d-----w c:\program files\UNICCodec 2009-04-17 02:40 . 2009-04-17 02:39 -------- d-----w c:\program files\Common Files\PC Tools 2009-04-17 02:34 . 2009-04-17 02:34 -------- d-----w c:\program files\CCleaner 2009-04-14 22:54 . 2009-04-14 22:54 -------- d-----w c:\program files\tuxguitar-1.1 2009-04-14 22:49 . 2009-04-14 22:49 -------- d-----w c:\program files\SFaxTools 2009-04-12 21:27 . 2009-04-12 21:27 -------- d-----w c:\program files\Blockland 2009-04-11 22:54 . 2009-04-11 22:54 -------- d-----w c:\program files\Unity 2009-04-06 20:18 . 2009-04-06 15:56 -------- d-----w c:\program files\Yahoo! 2009-04-05 18:28 . 2009-04-05 18:28 -------- d-----w c:\program files\MP3 Player Utilities 4.19 2009-04-05 17:24 . 2009-04-05 17:21 -------- d-----w c:\program files\AskBarDis 2009-04-05 17:23 . 2009-04-05 17:22 -------- d-----w c:\program files\Java 2009-04-05 17:22 . 2009-04-05 17:22 -------- d-----w c:\program files\Common Files\Java 2009-04-05 17:21 . 2009-04-05 17:21 -------- d-----w c:\program files\AskSearch 2009-04-04 22:18 . 2009-04-04 22:18 -------- d-----w c:\program files\Spotmau 2009-04-04 03:31 . 2005-06-19 22:33 -------- d-----w c:\program files\Warcraft III 2009-04-04 03:27 . 2004-01-22 03:33 -------- d-----w c:\program files\EarthLink TotalAccess 2008-09-22 01:51 . 2004-02-05 22:09 24960 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2004-11-30 01:32 . 2004-08-29 23:54 0 ---ha-w c:\documents and settings\Owner\hpothb07.dat 2004-05-27 00:42 . 2004-05-27 00:42 0 ---ha-w c:\documents and settings\NetworkService\hpothb07.dat 2004-01-26 23:45 . 2004-01-26 23:44 0 -c-ha-w c:\program files\hpothb07.dat 2004-01-26 23:44 . 2004-01-26 23:44 15628 ---ha-w c:\program files\hpothb07.tif 2003-03-31 12:00 . 2003-04-23 23:52 94784 --sh--w c:\windows\twain.dll 2004-08-04 07:56 . 2003-04-23 23:52 50688 --sh--w c:\windows\twain_32.dll 2004-08-04 07:56 . 2003-04-23 23:52 1028096 --sh--w c:\windows\system32\mfc42.dll 2004-08-04 07:56 . 2003-04-23 23:52 54784 --sh--w c:\windows\system32\msvcirt.dll 2004-08-04 07:56 . 2003-04-23 23:52 413696 --sha-w c:\windows\system32\msvcp60.dll 2004-08-04 07:56 . 2003-04-23 23:52 343040 --sha-w c:\windows\system32\msvcrt.dll 2004-08-04 07:56 . 2003-04-23 23:52 11776 --sh--w c:\windows\system32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-09-09 02:08 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768] "showicon2k"="c:\program files\\eM\Bay Reader\Shwicon2k.exe" [2003-07-04 135168] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 45056] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-04-24 77824] "SpotmauSecretary"="c:\program files\Spotmau\Desktop_Secretary\Spotmau_S.exe" [2009-03-11 566784] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-04-19 1851128] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-05-02 323584] "CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2003-06-03 496640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BigFix.lnk - c:\program files\BigFix\BigFix.exe [2003-4-23 1742384] hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= R3 cpuz129;cpuz129;c:\program files\PC Wizard 2008\pcwiz32.sys [2008-01-25 9600] R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2008-12-10 64392] R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752] R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-06-06 33088] R3 ThreatFire;ThreatFire; [x] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-06 130424] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-06-06 51520] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-06-06 38208] S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-04-19 110992] S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-04-19 24336] S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2008-12-11 159600] S2 supersafer;supersafer;c:\windows\system32\drivers\supersafer.sys [2009-03-11 354176] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-04-19 c:\windows\Tasks\Disk Cleanup.job - c:\windows\system32\cleanmgr.exe [2003-04-23 07:56] 2009-04-14 c:\windows\Tasks\Disk Defragmenter.job - c:\documents and settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk [2003-04-24 03:48] 2004-09-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8075430597.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52] 2009-04-19 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-24 16:24] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.19\AMVConverter\grab.html LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1spbq164.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-19 22:19 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose, ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3508902286-1040935473-1732238221-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(684) c:\windows\system32\guard32.dll - - - - - - - > 'lsass.exe'(744) c:\windows\system32\guard32.dll c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll . Completion time: 2009-04-20 22:20 ComboFix-quarantined-files.txt 2009-04-20 02:20 ComboFix2.txt 2009-04-20 00:56 Pre-Run: 148,160,679,936 bytes free Post-Run: 148,149,035,008 bytes free 206