Tech Support Forum - View Single Post

richiejain · 07-04-2009, 03:55 AM

ComboFix 09-07-02.02 - Yatish 07/04/2009 15:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.452 [GMT 5.5:30]
Running from: c:\combofix\ComboFix.exe
Command switches used :: c:\combofix\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-02 20:39 . 2009-07-02 11:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Google
2009-07-02 20:36 . 2007-04-13 06:21 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE
2009-07-02 20:36 . 2006-03-30 07:36 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2009-07-02 20:36 . 2006-03-23 06:32 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe
2009-07-02 20:36 . 2005-12-09 03:42 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2009-07-02 20:36 . 2004-11-03 03:36 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll
2009-07-02 20:35 . 2009-07-02 20:35 125 ----a-w- c:\windows\xUninstall.bat
2009-07-02 20:35 . 2009-07-02 20:35 -------- d-----w- c:\windows\JMCR_DIR
2009-07-02 20:35 . 2008-05-14 10:53 110080 ----a-w- c:\windows\system32\JmCrIcon.dll
2009-07-02 20:35 . 2009-07-02 20:35 129 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\fusioncache.dat
2009-07-02 20:35 . 2009-07-02 13:12 60592 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Common Files\CrystalEye
2009-07-02 20:33 . 2008-06-13 12:13 4342912 ----a-w- c:\windows\system32\acer.exe
2009-07-02 20:33 . 2007-04-19 08:11 83554304 ----a-w- c:\windows\system32\acer.scr
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Acer Incorporated
2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\windows\ACER
2009-07-02 20:32 . 2009-07-02 20:32 110576 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.exe
2009-07-02 20:32 . 2009-07-02 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Partner
2009-07-02 20:31 . 2009-07-02 08:40 -------- d-----w- c:\program files\Google
2009-07-02 20:30 . 2009-07-02 20:30 -------- d-----w- c:\program files\Launch Manager
2009-07-02 20:23 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-07-02 20:23 . 2008-04-15 03:00 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-07-02 20:23 . 2008-04-15 03:00 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-07-02 20:23 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-07-02 20:22 . 2009-07-02 19:31 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield
2009-07-02 20:22 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-07-02 20:22 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-07-02 20:22 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-07-02 20:21 . 2008-08-15 18:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2009-07-02 20:17 . 2008-04-15 03:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-07-02 20:17 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-07-02 20:17 . 2009-07-02 20:17 -------- d-----w- c:\windows\WebCam
2009-07-02 20:17 . 2008-04-14 00:12 53760 ----a-w- c:\windows\vfwwdm32.dll
2009-07-02 20:17 . 2008-04-15 03:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-07-02 19:36 . 2009-07-02 19:36 -------- d---a-w- c:\windows\AcerStore
2009-07-02 12:33 . 2009-07-02 12:33 -------- d-----w- c:\program files\Trend Micro
2009-07-02 10:33 . 2009-07-04 09:38 117760 ----a-w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com
2009-07-02 10:32 . 2009-07-02 10:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 10:27 . 2009-07-02 10:27 -------- d-----w- c:\documents and settings\Yatish\Application Data\Malwarebytes
2009-07-02 10:26 . 2009-06-17 05:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 10:26 . 2009-07-02 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-02 10:26 . 2009-06-17 05:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 10:26 . 2009-07-02 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 09:15 . 2009-07-02 09:15 -------- d-----w- c:\documents and settings\Yatish\Application Data\Media Player Classic
2009-07-02 09:14 . 2003-12-11 05:45 44544 ----a-w- c:\windows\system32\MSXML4a.dll
2009-07-02 09:14 . 2001-08-17 17:13 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-07-02 09:14 . 2006-06-20 10:36 237056 ----a-w- c:\windows\system32\winhttp5.dll
2009-07-02 09:14 . 1998-06-18 07:00 77824 ----a-w- c:\windows\system32\MSBIND.DLL
2009-07-02 09:14 . 1998-06-08 18:30 509440 ----a-w- c:\windows\system32\MSDE.DLL
2009-07-02 09:14 . 2000-07-15 07:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-07-02 09:14 . 2009-07-02 09:14 -------- d-----w- c:\program files\i.c.s SMS
2009-07-02 08:44 . 2009-07-03 11:44 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Adobe
2009-07-02 08:27 . 2009-07-02 08:27 -------- d-----w- c:\program files\uTorrent
2009-07-02 08:27 . 2009-07-04 09:47 -------- d-----w- c:\documents and settings\Yatish\Application Data\uTorrent
2009-07-02 08:17 . 2009-07-02 08:22 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Temp
2009-07-02 08:14 . 2009-07-02 08:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 20:35 . 2008-08-15 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 20:26 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\SiteAdvisor
2009-07-02 19:36 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat
2009-07-02 19:36 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat
2009-07-02 19:33 . 2008-08-15 18:11 -------- d-----w- c:\program files\SiteAdvisor
2009-07-02 19:33 . 2008-08-15 17:59 -------- d-----w- c:\program files\Realtek
2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works
2009-07-02 19:33 . 2008-08-15 18:15 -------- d-----w- c:\program files\Microsoft.NET
2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant
2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\McAfee.com
2009-07-02 19:32 . 2008-08-15 17:37 -------- d-----w- c:\program files\microsoft frontpage
2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\InterVideo
2009-07-02 19:32 . 2008-08-15 17:41 -------- d-----w- c:\program files\Intel
2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\Common Files\InterVideo
2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-02 19:32 . 2008-08-15 17:58 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-02 19:32 . 2008-08-15 18:00 -------- d-----w- c:\program files\Atheros
2009-07-02 19:31 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\InstallShield
2009-07-02 19:31 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-02 19:31 . 2008-08-15 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-02 19:31 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-02 19:31 . 2008-08-15 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2009-07-02 09:10 . 2009-07-02 09:10 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-02 08:40 . 2008-08-15 18:09 -------- d-----w- c:\program files\McAfee
2009-07-02 08:12 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2008-04-15 03:00 . 2008-04-15 03:00 90520 --sha-r- c:\windows\system32\jktbyy.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-03_08.35.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-15 19:59 . 2009-07-03 08:23 63418 c:\windows\system32\perfc009.dat
+ 2008-08-15 19:59 . 2009-07-04 09:42 63418 c:\windows\system32\perfc009.dat
+ 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-15 19:59 . 2009-07-04 09:42 402974 c:\windows\system32\perfh009.dat
- 2008-08-15 19:59 . 2009-07-03 08:23 402974 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"Google Update"="c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-02 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-02 288048]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-5 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 06:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5129:TCP"= 5129:TCP:ubbyrbx

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 9:31 PM 254976]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S2 llfhwuy;Support Time;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 8:30 AM 14336]
S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [7/3/2009 2:02 AM 110576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MFERKDK

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
llfhwuy
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006Core.job
- c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006UA.job
- c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16]

2008-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02]

2008-08-15 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {AA2F2604-DCA6-420C-BC90-659D50DBED79} = 125.22.47.125,202.56.250.5
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 15:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\llfhwuy]
"ServiceDll"="c:\windows\system32\jktbyy.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2156)
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-07-04 15:23
ComboFix-quarantined-files.txt 2009-07-04 09:53
ComboFix2.txt 2009-07-03 08:36

Pre-Run: 143,844,052,992 bytes free
Post-Run: 143,832,129,536 bytes free

222

07-04-2009, 03:55 AM	#5 (permalink)
richiejain Registered User Join Date: Jul 2009 Posts: 8 OS: Windows Xp Home	Re: Serious Malware issue ComboFix 09-07-02.02 - Yatish 07/04/2009 15:18.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.452 [GMT 5.5:30] Running from: c:\combofix\ComboFix.exe Command switches used :: c:\combofix\CFScript.txt AV: McAfee VirusScan On-access scanning disabled (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall enabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 ))))))))))))))))))))))))))))))) . 2009-07-02 20:39 . 2009-07-02 11:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Google 2009-07-02 20:36 . 2007-04-13 06:21 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE 2009-07-02 20:36 . 2006-03-30 07:36 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe 2009-07-02 20:36 . 2006-03-23 06:32 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe 2009-07-02 20:36 . 2005-12-09 03:42 16384 ----a-w- c:\windows\system32\ClearEvent.exe 2009-07-02 20:36 . 2004-11-03 03:36 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll 2009-07-02 20:35 . 2009-07-02 20:35 125 ----a-w- c:\windows\xUninstall.bat 2009-07-02 20:35 . 2009-07-02 20:35 -------- d-----w- c:\windows\JMCR_DIR 2009-07-02 20:35 . 2008-05-14 10:53 110080 ----a-w- c:\windows\system32\JmCrIcon.dll 2009-07-02 20:35 . 2009-07-02 20:35 129 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\fusioncache.dat 2009-07-02 20:35 . 2009-07-02 13:12 60592 ----a-w- c:\documents and settings\Yatish\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Common Files\CrystalEye 2009-07-02 20:33 . 2008-06-13 12:13 4342912 ----a-w- c:\windows\system32\acer.exe 2009-07-02 20:33 . 2007-04-19 08:11 83554304 ----a-w- c:\windows\system32\acer.scr 2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\program files\Acer Incorporated 2009-07-02 20:33 . 2009-07-02 20:33 -------- d-----w- c:\windows\ACER 2009-07-02 20:32 . 2009-07-02 20:32 110576 ----a-w- c:\documents and settings\All Users\Application Data\Partner\partner.exe 2009-07-02 20:32 . 2009-07-02 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Partner 2009-07-02 20:31 . 2009-07-02 08:40 -------- d-----w- c:\program files\Google 2009-07-02 20:30 . 2009-07-02 20:30 -------- d-----w- c:\program files\Launch Manager 2009-07-02 20:23 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys 2009-07-02 20:23 . 2008-04-15 03:00 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys 2009-07-02 20:23 . 2008-04-15 03:00 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys 2009-07-02 20:23 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys 2009-07-02 20:22 . 2009-07-02 19:31 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield 2009-07-02 20:22 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS 2009-07-02 20:22 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys 2009-07-02 20:22 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys 2009-07-02 20:21 . 2008-08-15 18:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor 2009-07-02 20:17 . 2008-04-15 03:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2009-07-02 20:17 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2009-07-02 20:17 . 2009-07-02 20:17 -------- d-----w- c:\windows\WebCam 2009-07-02 20:17 . 2008-04-14 00:12 53760 ----a-w- c:\windows\vfwwdm32.dll 2009-07-02 20:17 . 2008-04-15 03:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2009-07-02 19:36 . 2009-07-02 19:36 -------- d---a-w- c:\windows\AcerStore 2009-07-02 12:33 . 2009-07-02 12:33 -------- d-----w- c:\program files\Trend Micro 2009-07-02 10:33 . 2009-07-04 09:38 117760 ----a-w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-07-02 10:33 . 2009-07-02 10:33 -------- d-----w- c:\documents and settings\Yatish\Application Data\SUPERAntiSpyware.com 2009-07-02 10:32 . 2009-07-02 10:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-07-02 10:27 . 2009-07-02 10:27 -------- d-----w- c:\documents and settings\Yatish\Application Data\Malwarebytes 2009-07-02 10:26 . 2009-06-17 05:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-02 10:26 . 2009-07-02 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-02 10:26 . 2009-06-17 05:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-02 10:26 . 2009-07-02 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-02 09:15 . 2009-07-02 09:15 -------- d-----w- c:\documents and settings\Yatish\Application Data\Media Player Classic 2009-07-02 09:14 . 2003-12-11 05:45 44544 ----a-w- c:\windows\system32\MSXML4a.dll 2009-07-02 09:14 . 2001-08-17 17:13 24576 ----a-w- c:\windows\system32\msxml3a.dll 2009-07-02 09:14 . 2006-06-20 10:36 237056 ----a-w- c:\windows\system32\winhttp5.dll 2009-07-02 09:14 . 1998-06-18 07:00 77824 ----a-w- c:\windows\system32\MSBIND.DLL 2009-07-02 09:14 . 1998-06-08 18:30 509440 ----a-w- c:\windows\system32\MSDE.DLL 2009-07-02 09:14 . 2000-07-15 07:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL 2009-07-02 09:14 . 2009-07-02 09:14 -------- d-----w- c:\program files\i.c.s SMS 2009-07-02 08:44 . 2009-07-03 11:44 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Adobe 2009-07-02 08:27 . 2009-07-02 08:27 -------- d-----w- c:\program files\uTorrent 2009-07-02 08:27 . 2009-07-04 09:47 -------- d-----w- c:\documents and settings\Yatish\Application Data\uTorrent 2009-07-02 08:17 . 2009-07-02 08:22 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Temp 2009-07-02 08:14 . 2009-07-02 08:16 -------- d-----w- c:\documents and settings\Yatish\Local Settings\Application Data\Deployment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-02 20:35 . 2008-08-15 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-07-02 20:26 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\SiteAdvisor 2009-07-02 19:36 . 2004-09-21 21:28 3 ----a-w- c:\windows\HotFix.bat 2009-07-02 19:36 . 2004-06-26 00:13 139 ----a-w- c:\windows\HotFix2.bat 2009-07-02 19:33 . 2008-08-15 18:11 -------- d-----w- c:\program files\SiteAdvisor 2009-07-02 19:33 . 2008-08-15 17:59 -------- d-----w- c:\program files\Realtek 2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Works 2009-07-02 19:33 . 2008-08-15 18:15 -------- d-----w- c:\program files\Microsoft.NET 2009-07-02 19:33 . 2008-08-15 18:18 -------- d-----w- c:\program files\Microsoft Office Suite Activation Assistant 2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\McAfee.com 2009-07-02 19:32 . 2008-08-15 17:37 -------- d-----w- c:\program files\microsoft frontpage 2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\InterVideo 2009-07-02 19:32 . 2008-08-15 17:41 -------- d-----w- c:\program files\Intel 2009-07-02 19:32 . 2008-08-15 18:07 -------- d-----w- c:\program files\Common Files\McAfee 2009-07-02 19:32 . 2008-08-15 18:12 -------- d-----w- c:\program files\Common Files\InterVideo 2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-07-02 19:32 . 2008-08-15 17:58 -------- d-----w- c:\program files\Common Files\InstallShield 2009-07-02 19:32 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe 2009-07-02 19:32 . 2008-08-15 18:00 -------- d-----w- c:\program files\Atheros 2009-07-02 19:31 . 2009-07-02 20:24 -------- d-----w- c:\documents and settings\Yatish\Application Data\InstallShield 2009-07-02 19:31 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-07-02 19:31 . 2008-08-15 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-07-02 19:31 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor 2009-07-02 19:31 . 2008-08-15 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros 2009-07-02 09:10 . 2009-07-02 09:10 -------- d-----w- c:\program files\K-Lite Codec Pack 2009-07-02 08:40 . 2008-08-15 18:09 -------- d-----w- c:\program files\McAfee 2009-07-02 08:12 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor 2008-04-15 03:00 . 2008-04-15 03:00 90520 --sha-r- c:\windows\system32\jktbyy.dll . ((((((((((((((((((((((((((((( SnapShot@2009-07-03_08.35.46 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-15 19:59 . 2009-07-03 08:23 63418 c:\windows\system32\perfc009.dat + 2008-08-15 19:59 . 2009-07-04 09:42 63418 c:\windows\system32\perfc009.dat + 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-07-02 20:19 . 2009-07-03 06:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-07-02 20:19 . 2009-07-04 09:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-08-15 19:59 . 2009-07-04 09:42 402974 c:\windows\system32\perfh009.dat - 2008-08-15 19:59 . 2009-07-03 08:23 402974 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360] "Google Update"="c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-02 133104] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-07-02 288048] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 68856] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752] "AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992] "SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768] "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720] c:\documents and settings\All Users\Start Menu\Programs\Startup\ InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-5 114688] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 06:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5129:TCP"= 5129:TCP:ubbyrbx R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944] R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 9:31 PM 254976] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408] S2 llfhwuy;Support Time;c:\windows\system32\svchost.exe -k netsvcs [4/15/2008 8:30 AM 14336] S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [7/3/2009 2:02 AM 110576] --- Other Services/Drivers In Memory --- NewlyCreated - MFERKDK HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs llfhwuy . Contents of the 'Scheduled Tasks' folder 2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006Core.job - c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16] 2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4122549485-511491495-4049359616-1006UA.job - c:\documents and settings\Yatish\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 08:16] 2008-08-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02] 2008-08-15 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-07-25 08:02] . . ------- Supplementary Scan ------- . uStart Page = about:blank mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: {AA2F2604-DCA6-420C-BC90-659D50DBED79} = 125.22.47.125,202.56.250.5 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-04 15:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\llfhwuy] "ServiceDll"="c:\windows\system32\jktbyy.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(2156) c:\program files\SiteAdvisor\6172\saHook.dll c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll . Completion time: 2009-07-04 15:23 ComboFix-quarantined-files.txt 2009-07-04 09:53 ComboFix2.txt 2009-07-03 08:36 Pre-Run: 143,844,052,992 bytes free Post-Run: 143,832,129,536 bytes free 222