Well, do you think that a transaction I made back in May will have been seen by the backdoor trojan?
And by the way, ComboFix failed to tell me that I didn't have the recovery console installed before scanning, and it didn't prompt me to download the recovery console. It just told me that I didn't have it
after it was done.
ComboFix results:
ComboFix 09-07-01.04 - Owner 2/2009 Thu 12:20.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 3
.empty" was unexpected at this time.
PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: StartUpFile
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Installer\1324b.msi
c:\windows\system32\dbxDgrevCheck.dll
c:\windows\system32\disk.dll
c:\windows\system32\drivers\hjgruiswuhbqlr.sys
c:\windows\system32\hjgruimqfqjnsr.dll
c:\windows\system32\hjgruiorigsubr.dll
c:\windows\system32\hjgruirntkscpk.dat
c:\windows\system32\hjgruitonekllx.dat
c:\windows\system32\JRYbHRqr.ini
c:\windows\system32\JRYbHRqr.ini2
c:\windows\wiaserviv.log
D:\Autorun.inf
D:\Desktop.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hjgruivakvppjw
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.
2009-07-01 01:24 . 2009-07-01 01:24 -------- d-----w- c:\documents and settings\sandy\Local Settings\Application Data\Scansoft
2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-29 05:06 . 2009-06-29 05:06 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Malwarebytes
2009-06-29 05:05 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 05:05 . 2009-06-29 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 05:05 . 2009-06-29 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-29 05:05 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 04:16 . 2009-06-29 04:16 -------- d-----w- c:\windows\ERUNT
2009-06-29 03:46 . 2009-06-29 04:45 -------- d-----w- C:\SDFix
2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-06-26 18:42 . 2009-06-28 00:24 -------- d-----w- c:\docume~1\Owner\APPLIC~1\BitTorrent
2009-06-26 18:41 . 2009-06-26 18:42 -------- d-----w- c:\program files\BitTorrent
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 19:33 . 2007-05-07 05:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\program files\DNA
2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-02 19:33 . 2008-08-18 00:09 -------- d-----w- c:\docume~1\Owner\APPLIC~1\DNA
2009-06-27 23:20 . 2006-07-25 18:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 22:20 . 2008-12-07 05:35 -------- d-----w- c:\program files\NEXTON
2009-06-21 06:09 . 2009-05-24 22:04 -------- d-----w- c:\program files\Essentials Codec Pack
2009-06-20 02:22 . 2007-11-18 02:46 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-06-20 02:22 . 2007-11-18 02:46 -------- d-----w- c:\docume~1\Owner\APPLIC~1\gtk-2.0
2009-06-03 04:58 . 2007-02-03 23:46 -------- d-----w- c:\program files\EA GAMES
2009-05-26 07:10 . 2006-09-09 02:32 80552 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 04:23 . 2009-05-26 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-26 04:22 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Works
2009-05-26 04:20 . 2009-05-26 04:20 -------- d-----w- c:\program files\Microsoft.NET
2009-05-25 03:42 . 2009-05-23 04:45 -------- d-----w- c:\program files\MKVtoolnix
2009-05-25 01:51 . 2009-05-25 01:51 -------- d-----w- c:\program files\Gabest
2009-05-24 23:07 . 2009-05-24 23:07 -------- d-----w- c:\program files\ffdshow
2009-05-24 22:10 . 2009-05-23 06:05 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-21 05:17 . 2009-03-22 20:38 -------- d-----w- c:\program files\WinAVI Video Converter
2009-05-21 05:17 . 2009-01-07 22:17 -------- d-----w- c:\program files\Wakan
2009-05-16 02:36 . 2009-05-24 23:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-16 02:36 . 2009-05-24 23:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-07 15:44 . 2004-08-26 16:11 344064 ------w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-26 16:11 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-26 16:12 1846656 ------w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-26 321344]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-25 169984]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking10\Program\natspeak.exe [2008-7-27 2807144]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Microsoft Office Shortcut Bar.lnk - c:\program files\Microsoft Office\Office\MSOFFICE.EXE [1997-7-11 333824]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 23:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:*:Disabled:UDP port 5353
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 4:11 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 55024]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/31/2009 10:03 PM 24652]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/5/2009 10:16 PM 16512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\fnkmejdg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: browser.sessionstore.resume_from_crash - false
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-07-02 12:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-277335353-1467319134-3029339847-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0789EEA0-258B-C4C5-BA73-71E7651D648B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3568)
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\system32\WISPTIS.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee.com\VSO\mcvsftsn.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-02 12:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 19:37
Pre-Run: 30,849,073,152 bytes free
Post-Run: 32,170,000,384 bytes free
250 --- E O F --- 2009-06-15 05:01