Hi -
What are the hidden $xxxx subdirectories from the windows directory?
ran ComboFix
ComboFix 11-06-16.01 - admin 06/16/2011 17:47:30.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.248 [GMT -4:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\cfscript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm
c:\documents and settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\contentscript.js
c:\documents and settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\nejcfofponajoeefedoafebpapaplkdm\manifest.json
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-16 07:01 . 2011-06-16 07:05 -------- d-----w- c:\windows\ie8updates
2011-06-15 21:46 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-15 05:14 . 2011-06-15 05:14 -------- d-----w- c:\program files\Common Files\Java
2011-06-15 05:14 . 2011-06-15 05:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-13 06:11 . 2011-06-13 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-06-13 06:11 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-13 06:11 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-13 06:11 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-06-13 06:11 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-06-10 13:07 . 2011-06-16 21:13 -------- d-----w- C:\@malware
2011-06-07 11:47 . 2011-06-07 11:47 -------- d-----w- c:\documents and settings\admin\Application Data\AVG10
2011-06-07 11:36 . 2011-06-07 11:36 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-06-07 11:32 . 2011-06-08 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-06-07 11:32 . 2011-06-08 13:58 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-07 11:31 . 2011-06-07 11:31 -------- d-----w- c:\program files\AVG
2011-06-07 11:24 . 2011-06-08 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-06 17:09 . 2011-06-08 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-06 17:09 . 2011-06-06 17:09 -------- d-----w- c:\program files\AVAST Software
2011-06-06 16:57 . 2011-06-06 17:04 -------- d-----w- c:\program files\SpywareBlaster
2011-06-05 13:16 . 2011-06-05 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-05 13:16 . 2011-06-05 13:16 -------- d-----w- c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2011-06-05 13:15 . 2011-06-05 13:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-05 07:45 . 2011-06-06 04:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-04 16:32 . 2011-06-04 16:32 -------- d-----w- c:\program files\Watchtower
2011-06-04 15:19 . 2011-06-04 15:19 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-04 14:15 . 2011-06-04 18:56 -------- d-----w- C:\- PDF docs
2011-06-04 14:15 . 2011-06-04 15:15 -------- d-----w- C:\- maps
2011-06-04 13:55 . 2011-06-04 14:04 -------- d-----w- C:\- JW info
2011-06-04 13:55 . 2011-06-04 18:55 -------- d-----w- C:\- money
2011-06-04 13:55 . 2011-06-04 13:55 -------- d-----w- C:\- bank
2011-06-04 13:55 . 2011-06-04 18:57 -------- d-----w- C:\- XL docs
2011-06-04 13:55 . 2011-06-04 19:28 -------- d-----w- C:\- word docs
2011-06-04 13:54 . 2011-06-04 18:51 -------- d-----w- C:\- sounds
2011-06-04 13:53 . 2011-06-04 19:07 -------- d-----w- C:\- powerpoint
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-15 05:14 . 2010-06-23 21:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-04 16:09 . 2011-03-22 17:14 107 ----a-w- c:\documents and settings\admin\Application Data\netstat.bat
2011-05-29 13:11 . 2009-09-04 13:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 13:45 . 2011-05-16 13:45 7040 ----a-w- c:\windows\system32\sabprocenum.sys
2011-05-02 15:31 . 2009-08-15 04:39 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2009-08-15 04:39 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2009-08-15 04:39 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}"= "c:\program files\MyAshampoo\tbMyA1.dll" [2010-08-21 2734688]
.
[HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PolderbitS Audio Driver Monitor.lnk]
backup=c:\windows\pss\PolderbitS Audio Driver Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-12-03 12:39 50592 ----a-w- c:\documents and settings\admin\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-15 23:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-05-23 15:00 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-10-02 15:51 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=3 (0x3)
"LiveUpdate Notice Ex"=3 (0x3)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"wuauserv"=2 (0x2)
"SBAMSvc"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"VSS"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"nlsX86cc"=2 (0x2)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"DfSdkS"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"SBPIMSvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Parsons\\QuickVerse\\QuickVerse\\qvwin.exe"=
"c:\\Documents and Settings\\admin\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5060:UDP"= 5060:UDP:UDP
"5070:UDP"= 5070:UDP:UDP
"49152:UDP"= 49152:UDP:UDP
"65535:UDP"= 65535:UDP:UDP
"443:TCP"= 443:TCP:TCP
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/13/2011 2:11 AM 136360]
R3 CAM1690;USB PC Camera;c:\windows\system32\drivers\cam1690.sys [9/20/2007 6:03 PM 181888]
R3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys [8/1/2009 1:17 PM 110752]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [1/6/2010 4:16 PM 27168]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/4/2009 9:59 AM 366640]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/26/2005 6:19 PM 20160]
S3 cpuz130;cpuz130;\??\c:\docume~1\admin\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\admin\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 ionwpvvc;Watchport/V2 USB Camera;c:\windows\system32\drivers\ionwpvvc.sys [2/20/2008 4:50 PM 38656]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/4/2009 9:59 AM 39984]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/15/2009 12:39 AM 14336]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [1/6/2010 4:16 PM 27168]
S4 Compass Server;Compass Server; [x]
S4 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 7\DfSdkS.exe [4/13/2011 1:16 PM 406016]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2010 10:04 AM 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2010 10:04 AM 136176]
S4 magicJack;magicJack;c:\mjusbsp\srvany.exe [2/27/2011 5:32 PM 8192]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE --> c:\windows\system32\NLSSRV32.EXE [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-19 14:04]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) =
hxxp://www.google.com/search?q=%s
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F1AACA3A-E5BE-452E-9F2E-0E4D30CBE236}: NameServer = 67.90.152.122,67.107.71.186
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-06-16 18:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\admin\LOCALS~1\Temp\ASFWHide"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3277941142-1728969546-3919492650-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(920)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2460)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2011-06-16 18:11:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-16 22:10
ComboFix2.txt 2011-06-13 21:16
ComboFix3.txt 2011-06-13 06:03
.
Pre-Run: 58,030,985,216 bytes free
Post-Run: 58,092,498,944 bytes free
.
- - End Of File - - 81EB18F435740BA7FCE77D7B39DCAD1