ComboFix 09-06-13.03 - kd 06/13/2009 16:50.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1021.434 [GMT -5:00]
Running from: c:\users\kd\Desktop\combifias.exe
Command switches used :: c:\users\kd\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
SP: COMODO Defense+ *disabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll"
"c:\windows\system32\3z447not-a-5i9us5.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe
c:\windows\system32\3z447not-a-5i9us5.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.
2009-06-13 21:56 . 2009-06-13 21:56 -------- d-----w- c:\users\kd\AppData\Local\temp
2009-06-13 14:24 . 2008-08-13 13:10 262144 ----a-w- c:\program files\Uninstall Ask Toolbar.dll
2009-06-11 22:03 . 2009-06-12 05:56 -------- d-----w- C:\rsit
2009-06-11 21:30 . 2009-06-11 21:30 -------- d-----w- c:\users\kd\AppData\Roaming\Malwarebytes
2009-06-11 21:27 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 21:27 . 2009-06-11 21:27 -------- d-----w- c:\programdata\Malwarebytes
2009-06-11 21:27 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 21:27 . 2009-06-11 21:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 04:04 . 2009-06-09 05:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-09 00:04 . 2009-06-09 00:04 -------- d-----w- c:\program files\Trend Micro
2009-06-08 23:56 . 2009-06-09 05:15 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-06-08 23:50 . 2009-06-09 05:15 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-06-08 23:49 . 2009-06-09 05:15 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-08 22:42 . 2009-06-08 23:34 -------- d-----w- C:\vcs5BGEffects
2009-06-08 21:06 . 2009-06-08 21:06 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-06-07 20:38 . 2009-06-08 22:42 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2009-06-05 04:31 . 2009-06-05 04:32 -------- d-----w- C:\AV_LOGS
2009-06-05 04:29 . 2009-06-05 04:29 -------- d-----w- c:\users\kd\{ac2e2b8c-c423-4baa-a0a1-d154ebcab39c}
2009-06-05 04:29 . 2008-12-10 21:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2009-06-04 15:07 . 2009-06-04 15:07 -------- d-----w- c:\users\kd\AppData\Local\NCSoft
2009-06-04 14:47 . 2009-06-04 14:47 -------- d-----w- c:\users\kd\AppData\Local\assembly
2009-06-04 14:47 . 2009-06-04 14:48 -------- d-----w- c:\program files\NCSoft
2009-06-04 14:45 . 2009-06-04 14:45 -------- d-----w- c:\users\kd\AppData\Roaming\GetRightToGo
2009-06-03 21:06 . 2009-06-03 21:06 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-21 21:39 . 2009-05-21 21:39 -------- d-----w- c:\users\kd\AppData\Local\CCP
2009-05-21 21:37 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-05-21 20:37 . 2009-05-21 20:37 -------- d-----w- c:\program files\CCP
2009-05-20 13:12 . 2009-05-20 13:12 -------- d-----w- c:\programdata\CCP
2009-05-15 22:44 . 2009-05-15 22:44 -------- d-sh--w- C:\found.000
2009-05-15 03:55 . 2009-05-15 03:55 -------- d-----w- C:\GamersFirst
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 14:47 . 2008-08-06 23:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 21:07 . 2008-08-13 15:24 -------- d-----w- c:\program files\DivX
2009-05-27 13:05 . 2008-08-13 13:07 68640 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-05-27 13:04 . 2008-08-13 13:07 168208 ----a-w- c:\windows\system32\guard32.dll
2009-05-27 13:04 . 2008-08-13 13:07 28704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-05-27 13:04 . 2008-08-13 13:07 130080 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-05-13 08:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-30 04:53 . 2009-01-16 23:52 -------- d-----w- c:\users\kd\AppData\Roaming\DivX
2009-04-24 16:05 . 2009-06-11 23:57 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-11 23:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-11 23:57 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-11 23:57 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-11 23:57 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-11 23:57 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-03-17 03:38 . 2009-04-16 22:27 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 22:27 24064 ----a-w- c:\windows\system32\amxread.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-12_22.16.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-04 21:27 . 2009-06-13 21:41 37006 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-06-13 21:41 47964 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:02 . 2009-06-12 22:07 47964 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-04 20:03 . 2009-06-13 21:39 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-04 20:03 . 2009-06-12 22:05 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-04 20:03 . 2009-06-13 21:39 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-04 20:03 . 2009-06-12 22:05 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-04 20:03 . 2009-06-13 21:39 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-04 20:03 . 2009-06-12 22:05 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-05 08:06 . 2009-06-12 06:11 2526 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-08-05 08:06 . 2009-06-13 05:52 2526 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-08-04 21:27 . 2009-06-13 21:41 9894 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-687904369-1910372425-1874226365-1000_UserData.bin
- 2009-06-12 22:05 . 2009-06-12 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-13 21:39 . 2009-06-13 21:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-13 21:39 . 2009-06-13 21:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-06-12 22:05 . 2009-06-12 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="c:\fraps\FRAPS.EXE" [2006-12-21 2842624]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-05-27 1794320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-05-27 1794320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\cssdll32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{1778FE0B-BF96-4953-B935-179B7437D69D}c:\\users\\kd\\desktop\\server files1\\server files\\login server\\mystver.exe"= UDP:c:\users\kd\desktop\server files1\server files\login server\mystver.exe:mystver.exe
"UDP Query User{88F53694-E69A-454D-8FC6-4FB53CE28DD4}c:\\users\\kd\\desktop\\server files1\\server files\\login server\\mystver.exe"= TCP:c:\users\kd\desktop\server files1\server files\login server\mystver.exe:mystver.exe
"{8A302BCB-7AFB-4200-97E6-8C9660DE6A03}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{A0ECFA77-2627-4D41-B6B0-9F180AA475DF}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{CBB11CC8-C1DD-481E-B77B-CF858B12FD68}"= UDP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{285EE04E-04BF-4A16-AF72-80B442943410}"= TCP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{E51A6262-A416-477C-B778-BE7BEA1385D8}"= UDP:c:\program files\Microsoft Games\SpiderSolitaire\Combat Arms\NMService.exe:Nexon Messenger Core
"{04173EB3-F8AB-4A3C-BD23-645DFCA487CE}"= TCP:c:\program files\Microsoft Games\SpiderSolitaire\Combat Arms\NMService.exe:Nexon Messenger Core
"{7F3C589C-C0A7-4BCE-B8D8-2ABD50B61FDD}"= UDP:e:\combat arms\NMService.exe:Nexon Messenger Core
"{66C4B3AD-9EEE-48E1-B0D5-DFF0D14D98FC}"= TCP:e:\combat arms\NMService.exe:Nexon Messenger Core
"{9AED4EB8-F38C-4D7C-AA66-896FC8DF1BA2}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{6D70F1C7-135B-49F7-ACD9-AAC12CC8AF27}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [8/13/2008 8:07 AM 130080]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [8/13/2008 8:07 AM 28704]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [6/14/2008 12:02 PM 17408]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [1/22/2009 4:31 AM 185640]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\System32\drivers\vcsvad.sys [6/4/2009 11:29 PM 17792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.commStart Page =
hxxp://www.yahoo.commSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/def ... earch.htmluSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.comFF - ProfilePath - c:\users\kd\AppData\Roaming\Mozilla\Firefox\Profiles\5yd86hid.default\
FF - prefs.js: browser.startup.homepage -
www.yahoo.comFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-13 16:56
Windows 6.0.6001 Service Pack 1 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(968)
c:\windows\System32\cssdll32.dll
- - - - - - - > 'lsass.exe'(712)
c:\windows\System32\cssdll32.dll
c:\windows\system32\guard32.dll
.
Completion time: 2009-06-13 16:58
ComboFix-quarantined-files.txt 2009-06-13 21:58
ComboFix2.txt 2009-06-12 22:18
Pre-Run: 122,823,475,200 bytes free
Post-Run: 122,795,212,800 bytes free
183 --- E O F --- 2009-06-13 13:57