|
-
July 4th, 2010, 11:26 PM
#13
combofix log
Broni
Seems like you are working to hard on the forth of july. Hope you are not doing this for me. I can wait.
ComboFix 10-07-04.02 - Ray 07/04/2010 20:07:00.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1326 [GMT -7:00]
Running from: c:\documents and settings\Ray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Ray\LOCALS~1\Temp\IadHide3.dll
c:\documents and settings\Ray\Local Settings\Temp\IadHide3.dll
.
((((((((((((((((((((((((( Files Created from 2010-06-05 to 2010-07-05 )))))))))))))))))))))))))))))))
.
2010-07-02 03:17 . 2010-07-02 03:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-25 23:31 . 2010-06-25 23:31 -------- d-----w- c:\program files\winMd5Sum
2010-06-23 01:19 . 2010-06-23 01:19 3638 ----a-r- c:\documents and settings\Ray\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2010-06-23 00:56 . 2010-06-23 00:56 -------- d-----w- c:\program files\Alex Feinman
2010-06-21 04:38 . 2010-06-21 04:38 240640 ----a-w- c:\documents and settings\Ray\Application Data\HorizonWimba\JSecureDoor\audioproxy_1.0.3\data\audioproxy.exe
2010-06-21 04:37 . 2010-06-21 04:37 -------- d-----w- c:\documents and settings\Ray\Application Data\HorizonWimba
2010-06-20 22:53 . 2010-06-20 22:56 -------- d-----w- c:\documents and settings\Ray\Application Data\InfraRecorder
2010-06-20 22:53 . 2010-06-20 22:53 -------- d-----w- c:\documents and settings\Ray\Local Settings\Application Data\Yahoo
2010-06-20 22:52 . 2010-06-25 23:47 -------- d-----w- c:\program files\InfraRecorder
2010-06-20 22:52 . 2010-06-20 22:52 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-20 22:52 . 2010-06-20 22:52 14534 ----a-r- c:\documents and settings\Ray\Application Data\Microsoft\Installer\{E7B100D8-98A5-42AA-830F-16D6BD5351F1}\SystemFolder_msiexec.exe
2010-06-20 22:52 . 2010-06-20 22:52 -------- d-----w- c:\documents and settings\Ray\Application Data\FCSB000062035
2010-06-20 22:52 . 2010-06-20 22:52 638976 ----a-w- c:\documents and settings\Ray\Application Data\FCSB000062035\Toolbar\ShoppingBHO.dll
2010-06-20 22:52 . 2010-06-20 22:52 47275 ----a-w- c:\documents and settings\Ray\Application Data\FCSB000062035\Toolbar\Uninst.exe
2010-06-20 22:52 . 2009-11-25 07:38 713 ----a-w- c:\documents and settings\Ray\Application Data\FCSB000062035\Toolbar\patch.bat
2010-06-20 22:52 . 2010-06-20 22:52 -------- d-----w- c:\program files\Freeze.com
2010-06-20 22:52 . 2010-06-20 22:52 -------- d-----w- c:\program files\Shop to Win 2
2010-06-20 22:52 . 2010-06-20 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-20 22:52 . 2010-06-20 22:52 -------- d-----w- c:\documents and settings\Ray\Application Data\Yahoo!
2010-06-20 22:52 . 2010-06-21 02:36 -------- d-----w- c:\program files\Yahoo!
2010-06-11 03:23 . 2010-06-11 04:05 256 ----a-w- c:\windows\system32\pool.bin
2010-06-11 03:23 . 2010-06-11 03:25 -------- d-----w- c:\documents and settings\Ray\Application Data\Research In Motion
2010-06-11 03:22 . 2009-01-09 23:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-06-11 03:22 . 2010-06-11 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-06-11 03:22 . 2010-06-11 03:22 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-06-11 03:21 . 2010-06-11 03:22 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-06-11 03:21 . 2010-06-11 03:23 -------- d-----w- c:\program files\Research In Motion
2010-06-10 19:40 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\8423\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\8423\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\8423\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\8423\AcrobatUpdater.exe
2010-06-05 05:14 . 2010-06-05 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\MSScanAppDataDir
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 03:19 . 2009-12-05 02:09 -------- d-----w- c:\documents and settings\Ray\Application Data\Skype
2010-07-05 00:48 . 2009-12-05 02:26 -------- d-----w- c:\documents and settings\Ray\Application Data\skypePM
2010-07-04 21:45 . 2010-06-01 01:43 -------- d-----w- c:\program files\Full Tilt Poker
2010-07-02 03:59 . 2010-03-14 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 03:33 . 2010-02-14 16:55 -------- d-----w- c:\program files\Opera
2010-06-30 18:20 . 2010-02-17 05:42 -------- d-----w- c:\documents and settings\Ray\Application Data\gtk-2.0
2010-06-20 02:08 . 2009-11-23 05:44 -------- d-----w- c:\documents and settings\Ray\Application Data\Apple Computer
2010-06-20 02:05 . 2009-11-23 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-05 14:38 . 2010-02-14 17:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-27 03:46 . 2010-05-27 03:28 -------- d-----w- c:\program files\thinkorswim
2010-05-27 01:49 . 2009-11-28 06:07 -------- d-----w- c:\program files\PokerStars
2010-05-23 23:16 . 2009-11-24 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-14 21:07 . 2010-02-17 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Fiesta Download Manager
2010-05-14 21:06 . 2010-02-17 05:41 -------- d-----w- c:\program files\Fiesta Download Manager
2010-05-09 22:37 . 2009-11-22 16:52 348952 -c--a-w- c:\documents and settings\Ray\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 22:17 . 2010-02-23 01:17 -------- d-----w- c:\program files\The Print Shop 21
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-03-14 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-14 00:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 19:40 . 2010-04-24 19:40 50354 ----a-w- c:\documents and settings\Ray\Application Data\Facebook\uninstall.exe
2010-04-20 05:30 . 2001-08-23 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-15 03:35 . 2009-11-28 05:40 121416 -c-ha-w- c:\windows\system32\mlfcache.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"= "c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll" [2010-01-19 361592]
[HKEY_CLASSES_ROOT\clsid\{e38fa08e-f56a-4169-abf5-5c71e3c153a1}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{1E8FC16F-4C51-49C4-BC9B-4FC24BDDCEE7}]
[HKEY_CLASSES_ROOT\NetAssistant.NetAssistantBHO]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA}]
2010-06-20 22:52 638976 ----a-w- c:\program files\Shop to Win 2\ShoppingBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
2010-01-19 22:08 361592 ----a-w- c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F6BD6330-76F8-44d9-B775-87614E2D8374}"= "c:\program files\Fiesta Download Manager\mp3bar.dll" [2010-05-14 222208]
[HKEY_CLASSES_ROOT\clsid\{f6bd6330-76f8-44d9-b775-87614e2d8374}]
[HKEY_CLASSES_ROOT\ToolBand.MP3Bar.1]
[HKEY_CLASSES_ROOT\TypeLib\{09082C8C-70CA-4077-AFBB-C2F85AFC7438}]
[HKEY_CLASSES_ROOT\ToolBand.MP3Bar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F6BD6330-76F8-44D9-B775-87614E2D8374}"= "c:\program files\Fiesta Download Manager\mp3bar.dll" [2010-05-14 222208]
[HKEY_CLASSES_ROOT\clsid\{f6bd6330-76f8-44d9-b775-87614e2d8374}]
[HKEY_CLASSES_ROOT\ToolBand.MP3Bar.1]
[HKEY_CLASSES_ROOT\TypeLib\{09082C8C-70CA-4077-AFBB-C2F85AFC7438}]
[HKEY_CLASSES_ROOT\ToolBand.MP3Bar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2009-11-23 16384]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 35328]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-11 339968]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2009-11-22 156160]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/20/2010 1:17 PM 108289]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 4:31 AM 92008]
.
Contents of the 'Scheduled Tasks' folder
2010-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2010-07-04 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2001-08-23 13:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &MP3Bar - c:\program files\Fiesta Download Manager\mp3bar.dll/MENUSEARCH.HTM
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Ray\Application Data\Mozilla\Firefox\Profiles\j1zwhh86.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-04 20:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
- - - - - - - > 'explorer.exe'(3580)
c:\windows\system32\WININET.dll
c:\docume~1\Ray\LOCALS~1\Temp\IadHide3.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-07-04 20:22:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-05 03:22
ComboFix2.txt 2010-07-05 00:54
ComboFix3.txt 2010-03-16 01:53
Pre-Run: 32,437,551,104 bytes free
Post-Run: 32,445,591,552 bytes free
- - End Of File - - 222A4902E358C72404067DF7A3A622FD
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
