Thread: Windows IE Popups- Trojan or Hook?
View Single Post
Old 06-27-2007, 02:35 PM   #5 (permalink)
saflic
Registered User
 
saflic's Avatar
 
Join Date: Jun 2007
Posts: 9
OS: xp


Re: Windows IE Popups- Trojan or Hook?
Here it is again.

"Administrator" - 2007-06-27 14:22:09 - ComboFix 07-06-27.7 - Service Pack 2


((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 )))))))))))))))))))))))))))))))


2007-06-27 09:32 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-26 15:11 <DIR> d-------- C:\VundoFix Backups
2007-06-26 14:44 <DIR> d-------- C:\Deckard
2007-06-25 11:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Comodo
2007-06-25 11:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-25 11:16 <DIR> d-------- C:\Program Files\Comodo
2007-06-25 10:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-06-23 12:14 4,628 --a------ C:\WINDOWS\system32\niywdypo.exe
2007-06-21 12:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-18 12:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pavark
2007-06-16 13:05 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-13 14:18 164 --a------ C:\install.dat
2007-06-13 11:38 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-13 11:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\GetRightToGo
2007-06-12 12:08 10,872 --------- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-12 11:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-12 10:39 <DIR> d-------- C:\Program Files\Browser Hijack Blaster
2007-05-30 15:46 <DIR> d-------- C:\Program Files\iPod
2007-05-30 11:40 <DIR> d-------- C:\divx


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 15:30:10 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-31 19:25:10 4,212 ------w C:\WINDOWS\system32\zllictbl.dat
2007-05-24 19:24:32 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Move Networks
2007-05-17 22:17:58 98,304 ------w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-17 22:12:50 -------- d-----w C:\Program Files\Firefly Studios
2007-05-16 15:12:02 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 09:02:48 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-01 16:11:40 -------- d-----w C:\Program Files\iTunes
2007-04-30 15:46:10 745,600 ------w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:56 85,952 ------w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ------w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:42 23,416 ------w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:52 43,176 ------w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:24 26,888 ------w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ------w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:16 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ------w C:\WINDOWS\system32\msi.dll
2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 04:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 04:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-06 16:40:02 88,576 ---ha-w C:\DOCUME~1\ADMINI~1\APPLIC~1\rbap550.dll
2007-04-06 16:40:02 73,728 ---ha-w C:\DOCUME~1\ADMINI~1\APPLIC~1\RBRegEx550.dll
2007-04-06 16:40:02 38,912 ---ha-w C:\DOCUME~1\ADMINI~1\APPLIC~1\RBShell550.dll
2007-04-06 16:40:02 29,184 ---ha-w C:\DOCUME~1\ADMINI~1\APPLIC~1\RBInternetEncodings550.dll
2007-04-06 16:40:02 1,166,772 ---ha-w C:\DOCUME~1\ADMINI~1\APPLIC~1\RBXML550.dll
2007-03-27 07:55:58 524,288 ------w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:50 3,596,288 ------w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:32 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:32 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:32 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-03-27 07:55:24 200,704 ------w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:24 1,044,480 ------w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:08 73,728 ------w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:08 196,608 ------w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:06 53,248 ------w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:04 593,920 ------w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:04 57,344 ------w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:04 344,064 ------w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:04 294,912 ------w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:04 294,912 ------w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:49:00 823,296 ------w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:49:00 823,296 ------w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:49:00 802,816 ------w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:49:00 639,066 ------w C:\WINDOWS\system32\DivX.dll
2005-10-14 03:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-05-13 23:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 17:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 21:32:28 616,448 --sh--r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 04:37:42 45,568 --sh--r C:\WINDOWS\system32\cygz.dll
2005-10-08 01:14:52 308,224 --sh--r C:\WINDOWS\system32\avisynth.dll
2004-01-25 06:00:00 70,656 --sh--r C:\WINDOWS\system32\i420vfw.dll
2004-01-25 06:00:00 70,656 --sh--r C:\WINDOWS\system32\yv12vfw.dll
2005-02-28 19:16:22 240,128 --sh--r C:\WINDOWS\system32\x.264.exe
2005-07-14 18:31:20 27,648 --sh--r C:\WINDOWS\system32\AVSredirect.dll
2006-04-27 16:24:24 2,945,024 --sh--r C:\WINDOWS\system32\Smab.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2005-12-07 15:06]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 00:47]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{617890F2-44B5-4187-BE18-B7E598F5CFA3}=C:\WINDOWS\system32\jkkji.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-04-26 16:42]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 01:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Hotkey"="s3hotkey.exe" [2001-06-20 21:33 C:\WINDOWS\system32\s3hotkey.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-05-13 22:20 C:\WINDOWS\SOUNDMAN.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-06 09:57]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 09:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-16 14:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-25 11:15]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec Network Driver Update Warning"=C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 06:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winubg32]
winubg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1801674531-1303643608-725345543-500\Scripts\Logoff\0\0]
"Script"=C:\Program Files\Automatic Windows Internet Washer\xp.cmd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2006-04-19 17:04:16 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-06-20 21:31:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-27 15:43:46 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 14:27:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 14:33:02
C:\ComboFix-quarantined-files.txt ... 2007-06-27 14:30

--- E O F ---
saflic is offline