ComboFix 09-02-28.01 - mbuuren 01/03/2009 15:24:31.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.255.85 [GMT 1:00]
Running from: d:\documents and settings\mbuuren\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\fxstaller.exe
c:\winnt\Web\default.htt
.
((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.
2009-03-01 15:29 . 16,384 c:\winnt\system32\Perflib_Perfdata_4a4.dat
2009-03-01 15:29 . 09-03-01 15:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_254.dat
2009-02-20 19:27 . 09-02-20 19:27 <DIR> d-------- c:\program files\Trend Micro
2009-02-20 19:04 . 09-02-20 19:03 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-02-20 19:00 . 09-02-20 19:00 <DIR> d----c--- c:\winnt\system32\DRVSTORE
2009-02-20 19:00 . 09-02-20 18:59 64,160 --a------ c:\winnt\system32\drivers\Lbd.sys
2009-02-20 18:50 . 09-02-20 18:50 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 18:50 . 09-02-20 18:50 <DIR> d--h-c--- d:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-20 18:50 . 09-02-20 18:50 <DIR> d-------- c:\program files\Lavasoft
2009-02-20 18:49 . 09-02-20 18:49 <DIR> d-------- c:\winnt\winsxs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 18:03 --------- d-----w c:\program files\Java
2008-08-18 15:35 24 ----a-w d:\documents and settings\mbuuren\jagex_runescape_preferences.dat
2007-07-21 11:45 16,256 ----a-w d:\documents and settings\mbuuren\Application Data\GDIPFONTCACHEV1.DAT
2005-10-27 11:26 271 ---ha-w c:\program files\desktop.ini
2005-10-27 11:26 21,952 ---ha-w c:\program files\folder.htt
1999-12-07 15:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.
------- Sigcheck -------
99-12-07 16:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c c:\winnt\system32\svchost.exe
99-12-07 16:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c c:\winnt\system32\dllcache\svchost.exe
02-07-22 14:05 405264 4dc317a74845603f6d2b0b325aa234c6 c:\winnt\$NtUninstallKB835732$\user32.dll
04-03-24 03:17 403216 6ae59f325971f7d151a50a4e00e04dc0 c:\winnt\$NtUninstallKB840987$\user32.dll
04-03-24 03:17 403216 6ae59f325971f7d151a50a4e00e04dc0 c:\winnt\$NtUninstallKB841533$\user32.dll
04-03-24 03:17 403216 6ae59f325971f7d151a50a4e00e04dc0 c:\winnt\$NtUninstallKB890859$\user32.dll
05-03-12 08:54 380688 05cb047c49480a2157911b0a1c7e4c10 c:\winnt\system32\USER32.DLL
05-03-12 08:54 380688 05cb047c49480a2157911b0a1c7e4c10 c:\winnt\system32\dllcache\USER32.DLL
02-07-22 14:05 68368 30cd43c6903f8e9829871e9eeb6babf5 c:\winnt\system32\ws2_32.dll
02-07-22 14:05 68368 30cd43c6903f8e9829871e9eeb6babf5 c:\winnt\system32\dllcache\ws2_32.dll
01-12-03 12:55 581632 3778734752fa22add1d52d7f3a9ca3b5 c:\winnt\system32\wininet.dll
01-12-03 12:55 581632 3778734752fa22add1d52d7f3a9ca3b5 c:\winnt\system32\dllcache\wininet.dll
02-07-22 14:05 329456 8b3cfa597a7b4ae984b8b7f21feff037 c:\winnt\$NtUninstallKB893066$\tcpip.sys
05-05-12 11:25 320176 4800519c7b6a6fa2212f1f14781430a6 c:\winnt\system32\dllcache\tcpip.sys
05-05-12 11:25 320176 4800519c7b6a6fa2212f1f14781430a6 c:\winnt\system32\drivers\tcpip.sys
02-07-22 14:05 178960 96a7495c924cf3fb1d0f857093b6f61f c:\winnt\$NtUninstallKB835732$\winlogon.exe
04-03-11 03:37 181520 563b3de5b6ee842cffa8813f9ef4cb5c c:\winnt\$NtUninstallKB840987$\winlogon.exe
04-08-24 23:59 182544 5922e8055eb439a58ef29530d8567a40 c:\winnt\$NtUninstallKB841533$\winlogon.exe
04-08-24 23:59 182544 5922e8055eb439a58ef29530d8567a40 c:\winnt\$NtUninstallKB890859$\winlogon.exe
04-08-24 23:59 182544 5922e8055eb439a58ef29530d8567a40 c:\winnt\system32\WINLOGON.EXE
04-08-24 23:59 182544 5922e8055eb439a58ef29530d8567a40 c:\winnt\system32\dllcache\WINLOGON.EXE
02-07-22 14:05 167344 880e0a9b181c05ab45f282ceec47b6b4 c:\winnt\system32\dllcache\ndis.sys
02-07-22 14:05 167344 880e0a9b181c05ab45f282ceec47b6b4 c:\winnt\system32\drivers\ndis.sys
02-07-22 14:05 1687360 08888c725e9ac9f3c8767546d0338b1c c:\winnt\$NtUninstallKB835732$\ntkrnlpa.exe
04-02-26 00:55 1699264 831ba187b86d6ded01d81a9594ed20e2 c:\winnt\$NtUninstallKB840987$\ntkrnlpa.exe
04-06-17 18:15 1703744 f7005c5a9d3cdd606d0c18f5477a929e c:\winnt\$NtUninstallKB890859$\ntkrnlpa.exe
05-03-02 10:49 1713280 3be4786a7e50f7ae4ac9f1b23a057835 c:\winnt\Driver Cache\i386\ntkrnlpa.exe
05-03-02 10:49 1713280 3be4786a7e50f7ae4ac9f1b23a057835 c:\winnt\system32\NTKRNLPA.EXE
05-03-02 10:49 1713280 3be4786a7e50f7ae4ac9f1b23a057835 c:\winnt\system32\dllcache\ntkrnlpa.exe
02-07-22 14:05 1712720 1be931a7bb06c089812029603ae9fe88 c:\winnt\$NtUninstallKB835732$\ntoskrnl.exe
04-03-11 03:37 1726032 fd0d750e6a9af878f3d21b12854c6806 c:\winnt\$NtUninstallKB840987$\ntoskrnl.exe
04-06-17 18:14 1680960 6ace8cc01d1232947c4ce3789fce9d51 c:\winnt\$NtUninstallKB890859$\ntoskrnl.exe
05-03-02 10:48 1690496 47880add9f1e5467f1f4536c76674166 c:\winnt\Driver Cache\i386\ntoskrnl.exe
05-03-02 10:48 1690496 47880add9f1e5467f1f4536c76674166 c:\winnt\system32\NTOSKRNL.EXE
05-03-02 10:48 1690496 47880add9f1e5467f1f4536c76674166 c:\winnt\system32\dllcache\ntoskrnl.exe
02-07-22 14:05 242960 51794d917250081ab41a77950cee481d c:\winnt\explorer.exe
02-07-22 14:05 242960 51794d917250081ab41a77950cee481d c:\winnt\system32\dllcache\explorer.exe
02-07-22 14:05 88848 7f164d07ba059b6e3c37c119b49b282a c:\winnt\system32\services.exe
02-07-22 14:05 88848 7f164d07ba059b6e3c37c119b49b282a c:\winnt\system32\dllcache\services.exe
02-07-22 14:05 33552 0fabc9f91eab355a6303fa540071aee7 c:\winnt\$NtUninstallKB835732$\lsass.exe
04-02-26 00:59 33552 0c13d582edaf90cbea454a1ac535b913 c:\winnt\system32\LSASS.EXE
04-02-26 00:59 33552 0c13d582edaf90cbea454a1ac535b913 c:\winnt\system32\dllcache\lsass.exe
01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\winnt\system32\CTFMON.EXE
02-07-22 14:05 45328 bf50e306a42659938ba10218425709ab c:\winnt\system32\SPOOLSV.EXE
02-07-22 14:05 45328 bf50e306a42659938ba10218425709ab c:\winnt\system32\dllcache\spoolsv.exe
02-07-22 14:05 17680 d2c7c9f5c2623f6f7814231e278de9ff c:\winnt\system32\userinit.exe
02-07-22 14:05 17680 d2c7c9f5c2623f6f7814231e278de9ff c:\winnt\system32\dllcache\userinit.exe
02-07-22 14:05 733968 64bb009c268a573563e71971ac0f8ed7 c:\winnt\$NtUninstallKB835732$\kernel32.dll
04-03-24 03:17 742160 5e9bb22c56919870fc80444e655f8af6 c:\winnt\$NtUninstallKB840987$\kernel32.dll
04-06-18 00:05 712464 276abd5dd2053008c6c327c590dd806d c:\winnt\$NtUninstallKB841533$\kernel32.dll
04-06-22 02:35 712464 cbfc72131fb475249db3667239f3f4ea c:\winnt\$NtUninstallKB890859$\kernel32.dll
04-06-18 00:05 712464 755d6527f8429bece4ac2878dcbdd1b2 c:\winnt\Driver Cache\i386\kernel32.dll
04-06-18 00:05 712464 276abd5dd2053008c6c327c590dd806d c:\winnt\system32\KERNEL32.DLL
04-06-18 00:05 712464 755d6527f8429bece4ac2878dcbdd1b2 c:\winnt\system32\dllcache\kernel32.dll
02-07-22 14:05 13584 66fbe4b4ece98daf4cbaeec55536ccec c:\winnt\system32\powrprof.dll
02-07-22 14:05 13584 66fbe4b4ece98daf4cbaeec55536ccec c:\winnt\system32\dllcache\powrprof.dll
02-07-22 14:05 96016 f1bdfee375dec136dac53255dfca6d1c c:\winnt\system32\imm32.dll
02-07-22 14:05 96016 f1bdfee375dec136dac53255dfca6d1c c:\winnt\system32\dllcache\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 c:\winnt\system32\CTFMON.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"="c:\winnt\System32\dpmw32.exe" [00-01-21 05:47 28672]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [03-05-29 20:26 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [03-05-29 20:14 114688]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [03-09-29 06:10 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [04-08-25 02:50 139320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [09-02-20 19:03 136600]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [09-02-20 18:59 509784]
"ZENRC Tray Icon"="zentray.exe" [01-06-15 16:21 28672 c:\winnt\system32\zentray.exe]
"NWTRAY"="NWTRAY.EXE" [02-03-12 10:37 28672 c:\winnt\system32\nwtray.exe]
"Synchronization Manager"="mobsync.exe" [99-12-07 16:00 111376 c:\winnt\system32\mobsync.exe]
"ATIModeChange"="Ati2mdxx.exe" [02-08-28 20:17 28672 c:\winnt\system32\Ati2mdxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 16:00 20752 c:\winnt\system32\internat.exe]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
PGPtray.lnk - c:\program files\Network Associates\PGP\PGPtray.exe [2005-10-27 221184]
Sitecom Wireless Utility.lnk - c:\program files\Sitecom\Sitecom WL-170 Wireless LAN Card\Installer\WLANUTL.exe [2008-08-20 913408]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= "c:\winnt\system32\NalExpEx.dll" [02-10-04 07:20 131072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.CTRXAUD"= ctrxaud.acm
"VIDC.CTRX"= ctrxvid.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
R0 PGPPM;PGP Policy Manager;c:\winnt\system32\drivers\PGPpm.sys [2005-10-27 154176]
R1 PGPTDI;PGP TDI Driver;c:\winnt\system32\drivers\PGPTdi.sys [2005-10-27 16450]
R2 BlankScreen;HBDevice;c:\winnt\system32\drivers\blankscreen.sys [2005-10-27 4480]
R2 Kblock;Kblock;c:\winnt\system32\drivers\kblock.sys [1980-01-01 3742]
R2 Mouslock;Mouslock;c:\winnt\system32\drivers\mouslock.sys [1980-01-01 3779]
R2 PGPsdkDriver;PGPsdkDriver;c:\winnt\system32\drivers\PGPsdk.sys [2005-10-27 25600]
R2 PGPsdkServ;PGPsdkService;c:\winnt\system32\PGPsdkServ.exe [2005-10-27 77824]
R2 PGPService;PGPService;c:\program files\Network Associates\PGP\PGPservice.exe [2005-10-27 405504]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2006-01-31 24752]
R3 pgpnet;PGPnet VPN;c:\winnt\system32\drivers\PGPnet.sys [2005-10-27 40010]
R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-01-31 49392]
S0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-02-20 64160]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"%ProgramFiles%\setup50.exe" /APP:OE /CALLER:IE50 /user /install
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-Lavasoft Ad-Aware Service
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.nl/IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes -
file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java -
file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\mbuuren\Application Data\Mozilla\Firefox\Profiles\yjxahxaf.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.nl/.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-03-01 15:30:33
Windows 5.0.2195 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\winnt\system32\Perflib_Perfdata_300.dat 16384 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\NRDWIN32.dll
c:\winnt\system32\msv1_0.dll
c:\winnt\System32\AXNMAS~1.OCX
c:\winnt\System32\AXNMAS~2.OCX
.
Completion time: 2009-03-01 15:33:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 14:32:31
Pre-Run: 2,482,980,352 bytes free
Post-Run: 2,438,882,816 bytes free
181