c:\windows\z0165t9oj6e5.ocx
c:\windows\z075troj954.cpl
c:\windows\z1059hacktool6d9.cpl
c:\windows\z1580not-a9virus530.ocx
c:\windows\z1650wor955.exe
c:\windows\z191tr5j92b.exe
c:\windows\z196spambot158.dll
c:\windows\z35965a9ktool345.dll
c:\windows\z35985irus971.exe
c:\windows\z4007not-5-v9rus508.dll
c:\windows\z40not-9-virus757.cpl
c:\windows\z4370virus3c59.dll
c:\windows\z4525s9yb1.dll
c:\windows\z525s59115.exe
c:\windows\z5377hack9ool594.cpl
c:\windows\z6502spy449.exe
c:\windows\z672download9r27725.exe
c:\windows\z6bbthi9f4695.cpl
c:\windows\z7649s5y1dc.dll
c:\windows\z8095spy75c.ocx
c:\windows\z8b4addw9re5014.exe
c:\windows\z915w9rm321.cpl
c:\windows\z9927virus145.dll
c:\windows\z9b75ackdoor1938.exe
c:\windows\z9ceba9kdoor5625.cpl
c:\windows\zf75v9r1292.dll
c:\windows\zfca95r2595.ocx
.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.
2009-06-03 03:10 . 2009-06-03 03:10 -------- d-----w- c:\users\sean\AppData\Local\temp
2009-06-03 03:10 . 2009-06-03 03:10 -------- d-----w- c:\users\Wormy\AppData\Local\temp
2009-06-02 03:59 . 2009-06-02 03:59 -------- d-----w- c:\program files\Trend Micro
2009-06-02 03:36 . 2009-06-02 03:36 -------- d-----w- c:\windows\Sun
2009-06-02 03:20 . 2009-06-02 03:20 -------- d-----w- c:\users\sean\AppData\Roaming\Malwarebytes
2009-06-02 03:20 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 03:20 . 2009-06-02 03:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 03:20 . 2009-06-02 03:20 -------- d-----w- c:\programdata\Malwarebytes
2009-06-02 03:20 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 03:09 . 2009-06-02 03:09 574 ----a-w- C:\cleanup.bat
2009-06-02 03:09 . 2009-06-02 03:09 19286 ----a-w- C:\cleanup.exe
2009-06-02 03:09 . 2009-06-02 03:09 135168 ----a-w- C:\zip.exe
2009-06-02 01:25 . 2009-06-02 01:25 5179 ----a-w- c:\windows\54t59jz.exe
2009-06-02 01:24 . 2009-06-02 01:24 348160 ----a-w- c:\windows\system32\blocker.dll
2009-05-18 15:05 . 2009-05-08 16:49 486168 ----a-w- c:\programdata\avg8\update\backup\avgrsx.exe
2009-05-18 15:05 . 2009-05-08 16:49 2051864 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-05-18 15:05 . 2009-05-08 16:49 354584 ----a-w- c:\programdata\avg8\update\backup\avgxch32.dll
2009-05-18 15:05 . 2009-05-08 16:49 3288344 ----a-w- c:\programdata\avg8\update\backup\setup.exe
2009-05-18 15:05 . 2009-05-08 16:49 424472 ----a-w- c:\programdata\avg8\update\backup\avgwdwsc.dll
2009-05-18 15:05 . 2009-05-08 16:49 312088 ----a-w- c:\programdata\avg8\update\backup\avglngx.dll
2009-05-18 15:05 . 2009-05-08 16:49 177432 ----a-w- c:\programdata\avg8\update\backup\avgmail.dll
2009-05-18 15:02 . 2009-05-08 16:44 755992 ----a-w- c:\programdata\avg8\update\backup\avginet.dll
2009-05-18 15:02 . 2009-05-08 16:44 1437464 ----a-w- c:\programdata\avg8\update\backup\avgupd.dll
2009-05-17 16:19 . 2009-05-08 16:49 2302232 ----a-w- c:\programdata\avg8\update\backup\avguiadv.dll
2009-05-17 16:19 . 2009-05-08 16:49 3399960 ----a-w- c:\programdata\avg8\update\backup\avgui.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 03:36 . 2007-09-28 21:36 1356 ----a-w- c:\users\sean\AppData\Local\d3d9caps.dat
2009-05-28 17:18 . 2009-02-04 05:14 -------- d-----w- c:\program files\Curse
2009-05-14 10:02 . 2007-10-14 03:52 -------- d-----w- c:\programdata\Microsoft Help
2009-05-14 10:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-08 16:49 . 2009-02-03 17:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-08 16:49 . 2008-04-27 23:03 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-08 16:49 . 2008-04-27 23:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-06 07:40 . 2008-05-20 22:39 -------- d-----w- c:\programdata\media center programs
2009-04-19 10:12 . 2009-04-19 10:12 -------- d-----w- c:\program files\MagicDisc
2009-04-19 10:08 . 2009-04-19 10:08 -------- d-----w- c:\program files\MagicISO
2009-03-17 03:38 . 2009-04-16 20:20 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 20:20 24064 ----a-w- c:\windows\system32\amxread.dll
2009-03-16 21:18 . 2009-04-05 20:52 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-05 20:52 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-05 20:52 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-05 20:52 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 22:27 . 2009-04-05 20:52 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-04-05 20:52 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-03-09 22:27 . 2009-04-05 20:52 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-05-15 1933312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1947928]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-02 1261568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RandMAC"="c:\program files\MadMACs1.2\MadMACs\MadMACs.exe" [2008-08-07 253245]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"CTHelper"="CTHELPER.EXE" - c:\windows\System32\CTHELPER.EXE [2007-02-13 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\System32\Ctxfihlp.exe [2007-02-13 19968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-05-26 414480]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-05-26 1283344]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]
c:\users\Wormy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
OneNote Table Of Contents.onetoc2 [2009-4-4 3656]
c:\users\sean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-19 576000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"NoDispBackgroundPage"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Hawking Wireless Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Hawking Wireless Utility.lnk
backup=c:\windows\pss\Hawking Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^sean^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\sean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{98B127AE-85A5-4079-AC46-70C42CC7DE43}c:\\program files\\turbine\\dungeons & dragons online - stormreach\\dndclient.exe"= UDP:c:\program files\turbine\dungeons & dragons online - stormreach\dndclient.exe:dndclient
"UDP Query User{4C8FD282-2335-44C7-A9D8-49A154ECE0C3}c:\\program files\\turbine\\dungeons & dragons online - stormreach\\dndclient.exe"= TCP:c:\program files\turbine\dungeons & dragons online - stormreach\dndclient.exe:dndclient
"TCP Query User{F21FCED1-918C-44EF-86D3-AFC64ACF2B11}c:\\program files\\bitlord\\bitlord.exe"= UDP:c:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{1F321628-792B-40A8-B9BF-886B8A39F577}c:\\program files\\bitlord\\bitlord.exe"= TCP:c:\program files\bitlord\bitlord.exe:BitLord
"{D73528E4-E97F-4D39-9460-7CE6F30678D2}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{1875E92A-9C70-4C1F-95FA-D3A0B69600B9}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{DFCC8892-E928-4F01-90B8-7548739FFA75}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3585F77C-E717-4272-AEA4-76A64796BC12}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{97842A9F-CE6C-4056-B4DF-EC5F7E19F623}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{D3A35673-DD95-4E7F-8E8F-DE19E5BF2652}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{35CAD35F-69E1-4C9A-A781-8091772553AB}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{0EC37945-EC97-481A-8594-5E82176C5A14}c:\\program files\\ccp\\eve\\bin\\exefile.exe"= UDP:c:\program files\ccp\eve\bin\exefile.exe:CCP ExeFile
"UDP Query User{4AC8A5F9-35DB-41E0-95E2-A18B9B868B4A}c:\\program files\\ccp\\eve\\bin\\exefile.exe"= TCP:c:\program files\ccp\eve\bin\exefile.exe:CCP ExeFile
"TCP Query User{596970D5-3A9D-4BFC-ACEF-F1FD98F2807B}c:\\matrix games\\empires in arms\\update.exe"= UDP:c:\matrix games\empires in arms\update.exe:TrueUpdate Client
"UDP Query User{DDCCD428-96CC-4625-B803-5A31503F49BC}c:\\matrix games\\empires in arms\\update.exe"= TCP:c:\matrix games\empires in arms\update.exe:TrueUpdate Client
"{94AFD6CC-2891-4794-B06E-2CE7FC432867}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{66B2C133-F1F2-4D2C-8A4E-C00144A6B873}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{A3E239F7-E0AC-4C16-B5AF-E57B40C73C65}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{BB0FB226-F26B-4B3E-ADCE-08D19BAFF754}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{D86F399E-B185-4FC8-B0BB-640AEE2269A4}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{565F1EF6-E355-4B03-900E-FDA7F2FD115F}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187.sys [6/27/2008 1:40 AM 335872]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [4/27/2008 4:03 PM 325896]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/3/2009 10:43 AM 298776]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\System32\drivers\athru6.sys [7/5/2007 2:57 AM 873472]
S3 ctgame;Game Port;c:\windows\System32\drivers\CTGAME.SYS [2/13/2007 4:46 PM 19128]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ECACHE
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-WinBlueSoft - (no file)
HKLM-RunOnce-
- (no file)
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 20:10
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-06-03 20:11
ComboFix-quarantined-files.txt 2009-06-03 03:11
Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 67,143,356,416 bytes free
896 --- E O F --- 2009-06-02 00:59