Hello =)
Bout 2
Before I got this message, I jumped to a few trusted official sites through google search and didn't get any redirects, so it's looking good (but I know it can be deceiving!)
File submitted to bleepingcomputer link successfully
After dropping CFScript into combofix and combofix loaded, I got a message saying there was an update. I went ahead with the update and combofix ran just fine after, I'm just not 100% clear if it ran with the script (looks like it did because it appeared to collected the UACxxx.xxx files).
I removed the old Java files and checked that I had the latest up to date version (update 13). No prob.
I turned on the windows antivirus notification, but left off the auto-updates. Those update notifications are annoying and I don't want all the updates right now (I do check regularly)
Installed Avira but missed my chance to view the report to send it, so I'm running another scan which I'll attach.
Didn't know how you preferred these logs, but I figured it's safer for me to zip them and send them in. What's the verdict doc?
ComboFix 09-06-29.04 - Erik 06/30/2009 0:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1639 [GMT -4:00]
Running from: c:\documents and settings\Erik\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Erik\Desktop\CFScript.txt
FW: NVIDIA Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
* Created a new restore point
file zipped: c:\windows\system32\drivers\UACexwbapqjewqvrnd.sys
file zipped: c:\windows\system32\UACcajrusuqmyaedba.dll
file zipped: c:\windows\system32\UACyirlcwwspiltbtj.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\UACexwbapqjewqvrnd.sys
c:\windows\system32\UACcajrusuqmyaedba.dll
c:\windows\system32\UACyirlcwwspiltbtj.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.
2009-06-29 20:01 . 2009-06-29 20:01 -------- d-sh--w- C:\found.000
2009-06-21 04:15 . 2008-07-08 12:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2009-06-21 01:54 . 2009-06-21 01:54 -------- d-----w- c:\windows\system32\scripting
2009-06-21 01:54 . 2009-06-21 01:54 -------- d-----w- c:\windows\l2schemas
2009-06-21 01:54 . 2009-06-21 01:54 -------- d-----w- c:\windows\system32\en
2009-06-21 01:54 . 2009-06-21 01:54 -------- d-----w- c:\windows\system32\bits
2009-06-21 01:53 . 2009-06-21 01:53 -------- d-----w- c:\windows\ServicePackFiles
2009-06-21 01:50 . 2009-06-21 01:50 -------- d-----w- c:\windows\EHome
2009-06-20 03:02 . 2009-06-21 02:22 117760 ----a-w- c:\documents and settings\Erik\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-20 03:02 . 2009-06-20 03:02 -------- d-----w- c:\documents and settings\Erik\Application Data\SUPERAntiSpyware.com
2009-06-20 03:02 . 2009-06-20 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-19 18:05 . 2009-06-19 18:05 -------- d-----w- c:\program files\NVIDIA
2009-06-19 18:00 . 2009-06-19 18:00 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-19 18:00 . 2009-06-19 18:00 290816 ----a-w- c:\documents and settings\Erik\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-19 18:00 . 2009-06-19 18:00 290816 ----a-w- c:\documents and settings\Erik\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-19 18:00 . 2009-06-19 18:00 290816 ----a-w- c:\documents and settings\Erik\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-19 18:00 . 2009-06-19 18:00 290816 ----a-w- c:\documents and settings\Erik\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-19 18:00 . 2009-06-19 18:00 -------- d-----w- c:\documents and settings\Erik\Application Data\SystemRequirementsLab
2009-06-19 17:20 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-19 17:08 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-06-19 17:08 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-06-19 17:07 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-06-19 17:07 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-06-19 17:07 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-06-19 17:07 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-06-19 13:24 . 2009-06-19 13:24 -------- d-----w- c:\windows\system32\wbem\mof
2009-06-19 03:39 . 2009-06-19 03:38 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-19 03:38 . 2009-06-19 03:39 -------- d-----w- c:\documents and settings\Erik\.housecall6.6
2009-06-18 22:16 . 2009-06-28 22:57 -------- d-----w- c:\program files\Lavasoft
2009-06-18 22:16 . 2009-06-28 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-18 19:47 . 2009-06-19 16:36 -------- d-----w- c:\program files\SP - S&D
2009-06-15 13:40 . 2009-06-15 13:40 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-15 13:40 . 2009-06-15 13:40 152576 ----a-w- c:\documents and settings\Erik\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-11 22:00 . 2009-06-11 22:00 -------- d-----w- c:\documents and settings\Erik\Local Settings\Application Data\Blizzard Entertainment
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-06-10 10:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2009-06-10 10:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2009-06-10 10:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2009-06-10 10:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2009-06-10 10:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-08 14:59 . 2009-06-08 14:59 -------- d-----w- c:\program files\Ventrilo
2009-06-06 17:05 . 2009-06-06 17:06 -------- d-----w- c:\program files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 06:19 . 2009-06-24 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-06-29 06:16 . 2006-12-30 09:39 -------- d-----w- c:\program files\BitTorrent
2009-06-21 02:03 . 2006-06-02 06:36 20672 ----a-w- c:\documents and settings\Erik\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 01:55 . 2006-06-02 06:12 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-20 18:24 . 2008-04-03 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-18 23:02 . 2008-08-15 02:34 -------- d-----w- c:\program files\BFG
2009-06-15 13:40 . 2006-10-08 07:37 -------- d-----w- c:\program files\Java
2009-06-10 10:03 . 2006-06-02 07:56 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-06-10 10:03 . 2005-12-10 09:06 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 10:03 . 2005-12-10 09:06 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-04 20:39 . 2006-06-02 07:00 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-05-26 21:22 . 2006-07-30 21:42 -------- d-----w- c:\documents and settings\Erik\Application Data\AdobeUM
2009-05-26 21:20 . 2006-06-22 18:35 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-26 01:46 . 2009-05-26 01:46 0 ----a-w- c:\windows\nsreg.dat
2009-05-25 23:49 . 2009-05-25 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-05-25 23:48 . 2006-06-02 10:05 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-29_17.57.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 03:42 . 2009-06-30 03:42 16384 c:\windows\Temp\Perflib_Perfdata_550.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-07-27 270336]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-30 49152]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Games\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Games\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Games\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Games\\World of Warcraft\\Launcher.exe"=
"c:\\Games\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Games\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enUS-Win-Update-downloader.exe"=
"c:\\Games\\World of Warcraft\\WoW-3.0.3.9183-to-3.0.8.9464-enUS-downloader.exe"=
"c:\\Games\\Steam\\SteamApps\\chckmgnte\\team fortress 2\\hl2.exe"=
"c:\\Games\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:battle.net
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 8:43 PM 31896]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Erik\LOCALS~1\Temp\superas\SASDIFSV.SYS --> c:\docume~1\Erik\LOCALS~1\Temp\superas\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Erik\LOCALS~1\Temp\superas\SASKUTIL.sys --> c:\docume~1\Erik\LOCALS~1\Temp\superas\SASKUTIL.sys [?]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [11/3/2006 6:30 PM 467040]
S3 SASENUM;SASENUM;\??\c:\docume~1\Erik\LOCALS~1\Temp\superas\SASENUM.SYS --> c:\docume~1\Erik\LOCALS~1\Temp\superas\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder
2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - c:\documents and settings\Erik\Application Data\Mozilla\Firefox\Profiles\ui4z4fwc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Erik\Application Data\Tenderfoot Games\Gunfighter\npTFGLaunchPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-06-30 00:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(668)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-06-30 0:07
ComboFix-quarantined-files.txt 2009-06-30 04:07
ComboFix2.txt 2009-06-29 17:59
Pre-Run: 140,328,787,968 bytes free
Post-Run: 140,305,518,592 bytes free
Current=4 Default=4 Failed=3 LastKnownGood=2 Sets=1,2,3,4
205 --- E O F --- 2009-06-19 17:42
Upload was successful