Attached Files
-
Attach.txt 13.18KB
818 downloads
Edited by lin0056, 21 November 2009 - 02:01 PM.
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
[Resolved] Computer may be infected.
Started by
lin0056
, Nov 19 2009 12:03 AM
-
This topic is locked
17 replies to this topic
#1
lin0056
-
- Authentic Member
-
- 115 posts
Authentic Member
Posted 19 November 2009 - 12:03 AM
Register to Remove
#2
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 24 November 2009 - 12:17 PM
Hi lin0056,
My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
You've got a very old worm in there. One of the things it is known for is infecting any floppy disk inserted in the machine. Luckily, you probably don't have a floppy disk.
HaRepacker is a program designed to "hack" a game called MapleStory. Is this something you play?
Download TFC to your desktop
Then
Please download Malwarebytes' Anti-Malware to your desktop.
Also please describe how your computer behaves at the moment.
My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
- I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for the issues on this machine.
- Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
- It's often worth reading through these instructions and printing them for ease of reference.
- If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
- Please reply to this thread. Do not start a new topic.
You've got a very old worm in there. One of the things it is known for is infecting any floppy disk inserted in the machine. Luckily, you probably don't have a floppy disk.
HaRepacker is a program designed to "hack" a game called MapleStory. Is this something you play?
Download TFC to your desktop
- Close any open windows.
- Double click the TFC icon to run the program
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- if it doesn't, manually reboot to ensure a complete clean
Then
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
- Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).
Also please describe how your computer behaves at the moment.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#3
lin0056
-
- Authentic Member
-
- 115 posts
Authentic Member
Posted 26 November 2009 - 01:35 AM
I am back from camp now, thanks for the reply.
I do not play the game 'MapleStory'. I'm running TFC now and will post the MBAM log after my computer restarts.
#4
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 26 November 2009 - 02:01 AM
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#5
lin0056
-
- Authentic Member
-
- 115 posts
Authentic Member
Posted 26 November 2009 - 02:04 AM
My computer is running fine. (Same as usual).
Malwarebytes' Anti-Malware 1.41
Database version: 3235
Windows 5.1.2600 Service Pack 3
26/11/2009 6:56:22 PM
mbam-log-2009-11-26 (18-56-22).txt
Scan type: Quick Scan
Objects scanned: 114233
Time elapsed: 5 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\12linnz\Application Data\addons.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
#6
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 26 November 2009 - 02:10 AM
lin0056,
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#7
lin0056
-
- Authentic Member
-
- 115 posts
Authentic Member
Posted 26 November 2009 - 04:09 AM
ComboFix 09-11-25.05 - 12LinNZ 26/11/2009 20:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1491 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://cgsremote6
.
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-05 10:37 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-05 10:15 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-03 10:35 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 09:59 . 2009-11-26 09:59 25268 -c-h--w- c:\documents and settings\12linnz\Application Data\addons.dat
2009-11-26 08:58 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-04 05:34 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-04 05:34 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-29 04:34 . 2009-09-11 12:30 -------- dc-h--w- c:\program files\HaRepacker
2009-09-28 05:41 . 2009-09-27 07:02 -------- dc----w- c:\program files\Vuze
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\Help\Sachiel.sys.bat
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\system32\helpdks.dll
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\system32\winrun.sys.pif
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server
R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp --> c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{13F1A74D-6028-E4D1-70B5-80FCAE592473}]
c:\program files\HaRepacker\HaRepacker.exe s
.
Contents of the 'Scheduled Tasks' folder
2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-LManager - c:\windows\UNINST32.EXE LManager.UNI
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 20:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sppo.sys hal.dll >>UNKNOWN [0x8A5B6938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9e66cb8
\Driver\atapi -> atapi.sys @ 0xb9dddb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xb9ce6bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9cd5a0d
SendHandler -> NDIS.sys @ 0xb9ce9b40
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1040)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'lsass.exe'(1096)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Infineon\Security Platform Software\PSDrt.exe
c:\program files\Infineon\Security Platform Software\SpTna.exe
c:\docume~1\12linnz\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-11-26 21:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 10:08
Pre-Run: 34,515,591,168 bytes free
Post-Run: 34,384,420,864 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
- - End Of File - - 3DF5D5E79639B108059176D8F533828C
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1491 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://cgsremote6
.
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-05 10:37 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-05 10:15 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-03 10:35 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 09:59 . 2009-11-26 09:59 25268 -c-h--w- c:\documents and settings\12linnz\Application Data\addons.dat
2009-11-26 08:58 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-04 05:34 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-04 05:34 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-29 04:34 . 2009-09-11 12:30 -------- dc-h--w- c:\program files\HaRepacker
2009-09-28 05:41 . 2009-09-27 07:02 -------- dc----w- c:\program files\Vuze
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\Help\Sachiel.sys.bat
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\system32\helpdks.dll
2003-06-08 20:56 . 2003-06-08 20:56 23552 -csh--w- c:\windows\system32\winrun.sys.pif
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server
R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp --> c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{13F1A74D-6028-E4D1-70B5-80FCAE592473}]
c:\program files\HaRepacker\HaRepacker.exe s
.
Contents of the 'Scheduled Tasks' folder
2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-LManager - c:\windows\UNINST32.EXE LManager.UNI
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 20:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sppo.sys hal.dll >>UNKNOWN [0x8A5B6938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9e66cb8
\Driver\atapi -> atapi.sys @ 0xb9dddb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xb9ce6bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9cd5a0d
SendHandler -> NDIS.sys @ 0xb9ce9b40
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\12linnz\LOCALS~1\Temp\KPN97.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1040)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'lsass.exe'(1096)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Infineon\Security Platform Software\PSDrt.exe
c:\program files\Infineon\Security Platform Software\SpTna.exe
c:\docume~1\12linnz\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-11-26 21:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 10:08
Pre-Run: 34,515,591,168 bytes free
Post-Run: 34,384,420,864 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
- - End Of File - - 3DF5D5E79639B108059176D8F533828C
#8
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 26 November 2009 - 09:58 AM
lin0056,
Limewire, Vuze, and utorrent
You have Limewire, Vuze, and utorrent, P2P/file sharing programs installed on your computer. P2P applications are the largest source of malware we see. You'll be doing yourself a favor by removing it.
References for the risk of these programs can be found in these links:
http://www.microsoft...protection.mspx
http://www.techweb.com/wire/160500554
[url=http://www.internetworldstats.com/articles/art053.htm]http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm
I would recommend that you uninstall Limewire, Vuze, and utorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.
COMBOFIX-Script
Limewire, Vuze, and utorrent
You have Limewire, Vuze, and utorrent, P2P/file sharing programs installed on your computer. P2P applications are the largest source of malware we see. You'll be doing yourself a favor by removing it.
References for the risk of these programs can be found in these links:
http://www.microsoft...protection.mspx
http://www.techweb.com/wire/160500554
[url=http://www.internetworldstats.com/articles/art053.htm]http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm
I would recommend that you uninstall Limewire, Vuze, and utorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.
COMBOFIX-Script
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Rootkit:: c:\windows\Help\Sachiel.sys.bat c:\windows\system32\helpdks.dll c:\windows\system32\winrun.sys.pif c:\documents and settings\12linnz\Application Data\addons.dat c:\documents and settings\12linnz\Local Settings\Temp\KPN97.tmp Folder:: c:\program files\HaRepacker Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{13F1A74D-6028-E4D1-70B5-80FCAE592473}] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine] "ImagePath"=- - Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#9
lin0056
-
- Authentic Member
-
- 115 posts
Authentic Member
Posted 26 November 2009 - 05:59 PM
Vuze is not installed on my computer.
Running CFScript, will post results after reboot.
#10
lin0056
-
- Authentic Member
-
- 115 posts
Authentic Member
Posted 26 November 2009 - 06:31 PM
ComboFix 09-11-25.05 - 12LinNZ 27/11/2009 11:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1487 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\12linnz\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\12linnz\Application Data\addons.dat
c:\program files\HaRepacker
c:\program files\HaRepacker\HaRepacker.exe
c:\program files\HaRepacker\logg.dat
.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-26 23:57 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-26 23:57 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-26 23:58 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 22:24 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-04 05:34 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-04 05:34 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-28 05:41 . 2009-09-27 07:02 -------- dc----w- c:\program files\Vuze
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-26_09.59.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-11-26 09:59 . 2008-07-04 00:35 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-11-27 00:19 . 2009-11-27 00:19 16384 c:\windows\Temp\Perflib_Perfdata_374.dat
+ 2009-11-27 00:18 . 2009-11-27 00:18 16384 c:\windows\Temp\Perflib_Perfdata_130.dat
+ 2009-11-27 00:18 . 2009-07-22 14:50 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
- 2009-11-26 09:59 . 2009-07-22 14:50 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
- 2009-11-26 09:59 . 2009-01-28 13:06 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-11-27 00:18 . 2009-01-28 13:06 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-11-27 00:18 . 2008-07-04 00:33 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-11-26 09:59 . 2008-07-04 00:33 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-11-27 00:18 . 2008-07-04 00:34 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-11-26 09:59 . 2008-07-04 00:34 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-11-27 00:18 . 2008-07-04 00:35 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-11-27 00:18 . 2009-01-28 13:07 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
- 2009-11-26 09:59 . 2009-01-28 13:07 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-11-27 00:18 . 2009-07-22 14:50 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-11-26 09:59 . 2009-07-22 14:50 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-11-26 09:59 . 2009-07-01 13:42 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-11-27 00:18 . 2009-07-01 13:42 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-11-27 00:18 . 2009-07-22 14:50 663552 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
- 2009-11-26 09:59 . 2009-07-22 14:50 663552 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server
R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 11:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'lsass.exe'(1080)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Infineon\Security Platform Software\PSDrt.exe
c:\program files\Infineon\Security Platform Software\SpTna.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\docume~1\12linnz\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-11-27 11:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 00:30
ComboFix2.txt 2009-11-26 10:08
Pre-Run: 17,998,426,112 bytes free
Post-Run: 17,951,010,816 bytes free
- - End Of File - - 3DFC0ABCEF49D4702E7E660285A5B477
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1487 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\12linnz\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\12linnz\Application Data\addons.dat
c:\program files\HaRepacker
c:\program files\HaRepacker\HaRepacker.exe
c:\program files\HaRepacker\logg.dat
.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-26 23:57 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-26 23:57 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-26 23:58 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 22:24 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-04 05:34 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-04 05:34 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-28 05:41 . 2009-09-27 07:02 -------- dc----w- c:\program files\Vuze
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-26_09.59.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-11-26 09:59 . 2008-07-04 00:35 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-11-27 00:18 . 2008-07-04 00:35 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-11-27 00:19 . 2009-11-27 00:19 16384 c:\windows\Temp\Perflib_Perfdata_374.dat
+ 2009-11-27 00:18 . 2009-11-27 00:18 16384 c:\windows\Temp\Perflib_Perfdata_130.dat
+ 2009-11-27 00:18 . 2009-07-22 14:50 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
- 2009-11-26 09:59 . 2009-07-22 14:50 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
- 2009-11-26 09:59 . 2009-01-28 13:06 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-11-27 00:18 . 2009-01-28 13:06 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-11-27 00:18 . 2008-07-04 00:33 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-11-26 09:59 . 2008-07-04 00:33 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-11-27 00:18 . 2008-07-04 00:34 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-11-26 09:59 . 2008-07-04 00:34 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-11-27 00:18 . 2008-07-04 00:35 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-11-26 09:59 . 2008-07-04 00:35 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-11-27 00:18 . 2009-01-28 13:07 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
- 2009-11-26 09:59 . 2009-01-28 13:07 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-11-27 00:18 . 2009-07-22 14:50 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-11-26 09:59 . 2009-07-22 14:50 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-11-26 09:59 . 2009-07-01 13:42 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-11-27 00:18 . 2009-07-01 13:42 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-11-27 00:18 . 2009-07-22 14:50 663552 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
- 2009-11-26 09:59 . 2009-07-22 14:50 663552 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server
R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 11:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'lsass.exe'(1080)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Infineon\Security Platform Software\PSDrt.exe
c:\program files\Infineon\Security Platform Software\SpTna.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\docume~1\12linnz\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2009-11-27 11:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 00:30
ComboFix2.txt 2009-11-26 10:08
Pre-Run: 17,998,426,112 bytes free
Post-Run: 17,951,010,816 bytes free
- - End Of File - - 3DFC0ABCEF49D4702E7E660285A5B477
Register to Remove
#11
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 26 November 2009 - 08:11 PM
lin0056,
Please go to Kaspersky website and perform an online antivirus scan.
Please go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
- Please post this log in your next reply.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#12
lin0056
-
- Authentic Member
-
- 115 posts
Authentic Member
Posted 27 November 2009 - 05:05 AM
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, November 27, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, November 27, 2009 06:02:38
Records in database: 3295661
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
X:\
Scan statistics:
Objects scanned: 223876
Threats found: 5
Infected objects found: 45
Suspicious objects found: 0
Scan duration: 05:21:54
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Program Files\HaRepacker\HaRepacker.exe.vir Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\Qoobox\Quarantine\C\windows\Help\Sachiel.sys.bat.vir Infected: Worm.Win32.Sachiel.d 1
C:\Qoobox\Quarantine\C\windows\system32\helpdks.dll.vir Infected: Worm.Win32.Sachiel.d 1
C:\Qoobox\Quarantine\C\windows\system32\winrun.sys.pif.vir Infected: Worm.Win32.Sachiel.d 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP104\A0054803.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP109\A0056690.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP110\A0056697.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP110\A0056781.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP110\A0057271.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP116\A0060379.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP116\A0060385.bat Infected: Worm.Win32.Sachiel.d 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP116\A0060386.dll Infected: Worm.Win32.Sachiel.d 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP116\A0060387.pif Infected: Worm.Win32.Sachiel.d 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP50\A0036304.exe Infected: Trojan.Win32.Refroso.cvo 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP54\A0037474.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP59\A0038902.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP61\A0039609.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP70\A0040945.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP74\A0041327.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP75\A0041538.exe Infected: Backdoor.Win32.Poison.aylh 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP76\A0042510.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP78\A0043560.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP78\A0043860.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP78\A0043944.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP79\A0045247.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP80\A0045284.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP81\A0045550.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP81\A0046733.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP83\A0047165.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP85\A0047250.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP85\A0047727.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP86\A0048200.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP87\A0048543.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP87\A0048807.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP87\A0049143.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP88\A0049563.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP90\A0051286.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP91\A0051289.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP91\A0051294.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP91\A0051365.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP92\A0052702.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP92\A0052839.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP94\A0053331.exe Infected: Trojan-PSW.Win32.Dybalom.bu 1
C:\System Volume Information\_restore{32559E30-933B-43C5-9594-7BAB81F2A820}\RP98\A0053900.exe Infected: Trojan-Dropper.Win32.VB.afel 1
C:\WINDOWS\Gedzac.dll Infected: Worm.Win32.Sachiel.d 1
Selected area has been scanned.
#13
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 27 November 2009 - 08:37 AM
lin0056,
COMBOFIX-Script
Then please let me know of any symptoms you are having.
COMBOFIX-Script
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File:: C:\WINDOWS\Gedzac.dll
- Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Then please let me know of any symptoms you are having.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#14
lin0056
-
- Authentic Member
-
- 115 posts
Authentic Member
Posted 27 November 2009 - 04:01 PM
ComboFix 09-11-25.05 - 12LinNZ 28/11/2009 8:38.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1538 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\12linnz\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FILE ::
"c:\windows\Gedzac.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Gedzac.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-26 23:57 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-26 23:57 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-26 23:58 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 21:33 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-27 09:46 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-27 09:46 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-26_09.59.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-27 21:35 . 2009-11-27 21:35 16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat
+ 2009-11-27 21:36 . 2009-11-27 21:36 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server
R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 08:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1008)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'lsass.exe'(1064)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-11-28 08:50
ComboFix-quarantined-files.txt 2009-11-27 21:50
ComboFix2.txt 2009-11-27 00:30
ComboFix3.txt 2009-11-26 10:08
Pre-Run: 30,320,009,216 bytes free
Post-Run: 30,374,023,168 bytes free
- - End Of File - - ED5950CFA54F528F7BCB0016184BA115
I am not having any symptoms, the computer seems to run a little faster upon startup.
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1977.1538 [GMT 11:00]
Running from: c:\documents and settings\12linnz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\12linnz\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FILE ::
"c:\windows\Gedzac.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Gedzac.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\12linnz\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-09-10 03:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 07:49 . 2009-11-26 07:49 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 07:49 . 2009-09-10 03:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 00:06 . 2009-11-20 00:06 -------- dc----w- c:\program files\Activision
2009-11-19 05:56 . 2009-11-19 05:56 -------- dc----w- c:\program files\ERUNT
2009-11-17 12:25 . 2009-11-17 12:25 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Rockstar Games
2009-11-17 08:56 . 2009-11-17 08:56 107888 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-11-17 05:37 . 2009-11-17 05:37 -------- dc----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc----w- c:\windows\system32\winrm
2009-11-17 00:50 . 2009-11-17 00:50 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2009-11-16 06:57 . 2009-11-16 07:17 -------- dc----w- c:\program files\Dragon Age
2009-11-16 06:57 . 2009-11-16 07:30 -------- dc----w- c:\program files\Common Files\BioWare
2009-11-16 06:15 . 2009-11-26 08:28 -------- dc----w- c:\program files\Rockstar Games
2009-11-15 20:50 . 2009-11-15 20:50 152576 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-15 20:50 . 2009-11-15 20:50 79488 -c--a-w- c:\documents and settings\12linnz\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-12 13:21 . 2009-11-21 12:16 -------- dc----w- C:\Log
2009-11-11 05:16 . 2009-11-11 05:17 -------- dc----w- c:\program files\Machinarium
2009-11-10 07:25 . 2009-11-10 07:25 -------- dc----w- c:\program files\DIFX
2009-11-10 06:44 . 2009-11-10 06:44 -------- dc----w- c:\program files\2K Games
2009-11-10 06:44 . 2009-11-10 07:24 -------- dc----w- C:\BDS
2009-11-08 12:22 . 2009-11-12 09:40 -------- dc----w- c:\windows\system32\Adobe
2009-11-05 10:37 . 2009-11-26 23:57 -------- dc----w- c:\documents and settings\12linnz\Application Data\runic games
2009-11-05 10:15 . 2009-11-26 23:57 -------- dc----w- c:\program files\Runic Games
2009-11-03 11:54 . 2009-11-03 11:54 -------- dc----w- c:\documents and settings\12linnz\Application Data\vlc
2009-11-03 10:36 . 2009-11-03 10:36 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid_Inc
2009-11-03 10:36 . 2009-11-03 10:38 -------- dc----w- c:\documents and settings\12linnz\Application Data\MozillaControl
2009-11-03 10:36 . 2009-11-03 10:40 -------- dc----w- c:\documents and settings\12linnz\Local Settings\Application Data\Graboid
2009-11-03 10:35 . 2009-11-03 10:35 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-03 10:34 . 2009-11-03 10:34 -------- dc----w- c:\program files\VideoLAN
2009-11-03 10:30 . 2009-11-26 23:58 -------- dc----w- c:\program files\Graboid
2009-11-02 12:07 . 2009-11-02 12:07 -------- dc----w- c:\program files\iPod
2009-11-02 12:00 . 2009-11-02 12:00 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 21:33 . 2009-08-03 08:27 -------- dc----w- c:\documents and settings\12linnz\Application Data\uTorrent
2009-11-27 09:46 . 2009-09-19 02:12 139456 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-27 09:46 . 2009-09-19 02:12 190160 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-11-19 17:30 . 2009-09-19 23:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\Gearbox Software
2009-11-19 17:30 . 2009-09-19 23:30 -------- dc----w- c:\program files\Ubisoft
2009-11-17 00:56 . 2008-10-24 01:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-16 07:30 . 2009-09-11 21:55 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-15 20:51 . 2008-11-05 00:35 -------- dc----w- c:\program files\Java
2009-11-12 13:11 . 2009-10-06 03:58 -------- dc----w- c:\program files\EA Sports
2009-11-10 10:19 . 2009-08-03 08:29 -------- dc----w- c:\program files\Messenger Plus! Live
2009-11-10 07:24 . 2009-08-26 04:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-11-10 07:21 . 2009-08-26 00:42 -------- dc----w- c:\documents and settings\12linnz\Application Data\Sports Interactive
2009-11-10 07:01 . 2009-08-26 00:43 -------- dc----w- c:\program files\Sports Interactive
2009-11-10 06:44 . 2008-10-22 03:27 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-11-03 01:45 . 2009-09-22 02:44 -------- dc----w- c:\documents and settings\12linnz\Application Data\LimeWire
2009-11-02 12:08 . 2009-09-11 07:44 -------- dc----w- c:\program files\iTunes
2009-11-02 12:07 . 2009-08-03 08:19 -------- dc----w- c:\program files\Common Files\Apple
2009-10-28 08:50 . 2009-09-23 08:09 664 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-10-26 23:20 . 2009-10-26 23:20 -------- dc----w- c:\program files\Google
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 138056 -c--a-w- c:\documents and settings\12linnz\Application Data\PnkBstrK.sys
2009-10-23 08:28 . 2009-09-19 02:12 75064 -c--a-w- c:\windows\system32\PnkBstrA.exe
2009-10-23 08:28 . 2009-10-23 08:28 2395944 -c--a-w- c:\windows\system32\pbsvc_heroes.exe
2009-10-22 22:39 . 2008-10-24 01:40 -------- dc----w- c:\program files\Common Files\Adobe
2009-10-19 05:39 . 2009-09-11 07:52 77028 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 07:25 . 2009-10-14 07:23 -------- dc----w- c:\documents and settings\12linnz\Application Data\PPStream
2009-10-10 17:17 . 2008-11-05 00:35 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-09 05:23 . 2009-10-09 05:23 1107456 -c----w- c:\windows\system32\WsmSvc.dll
2009-10-09 05:23 . 2009-10-09 05:23 178176 -c----w- c:\windows\system32\wevtfwd.dll
2009-10-09 05:22 . 2009-10-09 05:22 368640 -c----w- c:\windows\system32\WsmRes.dll
2009-10-09 05:22 . 2009-10-09 05:22 69632 -c----w- c:\windows\system32\winrs.exe
2009-10-09 05:22 . 2009-10-09 05:22 42496 -c----w- c:\windows\system32\pwrshplugin.dll
2009-10-09 03:56 . 2009-10-09 03:56 209408 -c----w- c:\windows\system32\WsmWmiPl.dll
2009-10-09 03:56 . 2009-10-09 03:56 14848 -c----w- c:\windows\system32\wsmprovhost.exe
2009-10-09 03:56 . 2009-10-09 03:56 22528 -c----w- c:\windows\system32\winrshost.exe
2009-10-09 03:56 . 2009-10-09 03:56 25088 -c----w- c:\windows\system32\winrmprov.dll
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\wsmplpxy.dll
2009-10-09 03:56 . 2009-10-09 03:56 2048 -c----w- c:\windows\system32\winrsmgr.dll
2009-10-09 03:56 . 2009-10-09 03:56 233984 -c----w- c:\windows\system32\winrscmd.dll
2009-10-09 03:56 . 2009-10-09 03:56 225280 -c----w- c:\windows\system32\wsmanhttpconfig.exe
2009-10-09 03:56 . 2009-10-09 03:56 12288 -c----w- c:\windows\system32\winrssrv.dll
2009-10-09 03:56 . 2009-10-09 03:56 139776 -c----w- c:\windows\system32\WsmAuto.dll
2009-10-08 03:57 . 2007-10-09 02:03 611328 -c--a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 03:57 . 2006-02-28 12:00 220160 -c--a-w- c:\windows\system32\oleacc.dll
2009-10-08 03:56 . 2006-02-28 12:00 20480 -c--a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 05:20 . 2009-10-06 05:20 -------- dc----w- c:\documents and settings\12linnz\Application Data\Leadertech
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-10-05 09:18 . 2009-10-05 07:41 -------- dc----w- c:\documents and settings\12linnz\Application Data\Uniblue
2009-10-05 07:38 . 2009-10-05 07:38 -------- dc----w- c:\program files\IObit
2009-09-30 22:48 . 2009-09-30 22:48 -------- dc----w- c:\program files\Electronic Arts
2009-09-29 04:53 . 2009-09-29 04:47 -------- dc----w- c:\program files\Microsoft
2009-09-29 04:53 . 2009-09-29 04:53 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-09-22 21:59 . 2009-08-03 08:08 105488 -c--a-w- c:\documents and settings\12linnz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 02:12 . 2009-09-19 02:12 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2009-09-18 06:39 . 2009-09-18 06:39 444952 -c--a-w- c:\windows\system32\wrap_oal.dll
2009-09-18 06:39 . 2009-09-18 06:39 109080 -c--a-w- c:\windows\system32\OpenAL32.dll
2009-09-14 07:58 . 2009-09-30 22:47 1291640 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-09-14 07:58 . 2009-09-30 22:47 729088 -c--a-w- c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-11 21:54 . 2009-09-11 21:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 07:44 . 2009-09-11 21:56 515416 -c--a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 238936 -c--a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 07:44 . 2009-09-11 21:56 69464 -c--a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 07:29 . 2009-09-11 21:56 235344 -c--a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 453456 -c--a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1974616 -c--a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 5501792 -c--a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 07:29 . 2009-09-11 21:56 1892184 -c--a-w- c:\windows\system32\D3DX9_42.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-26_09.59.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-27 21:35 . 2009-11-27 21:35 16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat
+ 2009-11-27 21:36 . 2009-11-27 21:36 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"ZPdtWzdVitaKey MC3000"="c:\program files\Acer\Acer Bio Protection\PdtWzd.exe" [2008-10-22 3680768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-23 677144]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-05-02 870920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-2 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-10-22 03:39 3076096 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Sports\\FIFA Online 2\\FF2Client.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Documents and Settings\\12linnz\\My Documents\\Downloads\\Call Of Duty 4\\iw3mp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8484:TCP"= 8484:TCP:Localhost
"8888:TCP"= 8888:TCP:ms
"3306:TCP"= 3306:TCP:MySQL Server
R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [22/10/2008 2:39 PM 43184]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [24/07/2007 8:59 AM 38816]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/08/2009 6:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/08/2009 6:09 PM 38528]
R2 FPSensor;LTT-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [22/10/2008 2:39 PM 20352]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [29/10/2009 1:34 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [3/08/2009 6:08 PM 98304]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [24/07/2007 8:59 AM 41216]
R3 ITEIRDA;ITE Infrared Device Driver;c:\windows\system32\drivers\ITEirda.sys [22/10/2008 2:59 PM 24576]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/09/2009 8:54 AM 721904]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [22/10/2008 2:39 PM 3481600]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [16/11/2009 6:17 PM 25832]
S3 GarenaPEngine;GarenaPEngine; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 11:00 PM 14336]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [3/08/2009 6:09 PM 14976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2009-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.cgs.vic.edu.au
uInternet Settings,ProxyOverride = local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\
FF - plugin: c:\documents and settings\12linnz\Application Data\Mozilla\Firefox\Profiles\ehr3xlul.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 08:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1008)
c:\program files\Acer\Acer Bio Protection\CompPtc.dll
c:\program files\Acer\Acer Bio Protection\CustomRes.dll
c:\windows\system32\NBMatS1SDK.DLL
c:\program files\Acer\Acer Bio Protection\WinNotify.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'lsass.exe'(1064)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-11-28 08:50
ComboFix-quarantined-files.txt 2009-11-27 21:50
ComboFix2.txt 2009-11-27 00:30
ComboFix3.txt 2009-11-26 10:08
Pre-Run: 30,320,009,216 bytes free
Post-Run: 30,374,023,168 bytes free
- - End Of File - - ED5950CFA54F528F7BCB0016184BA115
I am not having any symptoms, the computer seems to run a little faster upon startup.
#15
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 27 November 2009 - 05:49 PM
lin0056,
Log looks good
Time for some housekeeping
Please re-enable any security that was disabled.
Now to remove most of the tools that we have used in fixing your machine:
The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.
Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.
I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
Also: "How to prevent malware"
by miekiemoes
Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.
Log looks good
Time for some housekeeping
- Click START then RUN
- Now type ComboFix /Uninstall in the runbox and click OK.
- Note the space between the X and the U, it needs to be there.
- Implement some cleanup procedures.
- Reset System Restore.
Please re-enable any security that was disabled.
Now to remove most of the tools that we have used in fixing your machine:
- Make sure you have an Internet Connection.
- Download OTC to your desktop and run it
- A list of tool components used in the cleanup of malware will be downloaded.
- If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
- Click Yes to begin the cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.
Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.
I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
Also: "How to prevent malware"
by miekiemoes
Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
