ComboFix 09-12-11.01 - krissi 12/12/2009 1:56.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1628 [GMT -8:00]
Running from: c:\documents and settings\krissi\My Documents\Downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\krissi\My Documents\Downloads\cfscript.txt
AV: avast! antivirus 4.8.1368 [VPS 091211-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_YNFCUJ
-------\Service_ynfcuj
((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))
.
2009-12-12 04:21 . 2009-04-17 04:11 81920 ----a-w- c:\windows\eSellerateControl350.dll
2009-12-12 04:21 . 2009-04-17 00:36 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-12-12 04:21 . 2009-12-12 05:02 -------- d-----w- c:\program files\True Sword 5
2009-12-12 03:44 . 2009-12-12 04:17 -------- d-----w- c:\program files\Win32.Trojan.Delf Removal Tool
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\documents and settings\krissi\Application Data\Malwarebytes
2009-12-12 01:48 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-12 01:48 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 05:17 . 2009-12-11 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-12-11 01:20 . 2009-10-18 04:27 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\vvi98.exe
2009-11-22 08:34 . 2009-10-18 04:27 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\pru681.exe
2009-11-18 05:13 . 2009-11-18 05:14 -------- d-----w- C:\rjúpa
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 10:01 . 2009-07-22 07:28 -------- d-----w- c:\documents and settings\krissi\Application Data\skypePM
2009-12-12 10:01 . 2009-07-22 02:06 -------- d-----w- c:\documents and settings\krissi\Application Data\Skype
2009-12-12 06:39 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-12 05:54 . 2009-07-12 10:20 -------- d-----w- c:\program files\uTorrent
2009-12-12 05:54 . 2009-07-22 02:06 -------- d-----w- c:\documents and settings\krissi\Application Data\uTorrent
2009-12-11 02:50 . 2009-07-22 07:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-07 09:18 . 2009-10-30 07:12 -------- d-----w- c:\documents and settings\krissi\Application Data\dvdcss
2009-11-29 05:36 . 2009-07-09 12:13 8 ----a-w- c:\windows\system32\nvModes.dat
2009-11-24 23:54 . 2009-07-09 12:59 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-07-09 12:59 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-07-09 12:59 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-07-09 12:59 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-07-09 12:59 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-07-09 12:59 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-07-09 12:59 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-07-09 12:59 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-07-09 12:59 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-22 08:33 . 2009-10-10 21:42 -------- d-----w- c:\program files\Trojan Remover
2009-11-05 22:55 . 2009-11-05 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-05 22:46 . 2009-11-05 22:46 -------- d-----w- c:\program files\McAfee Security Scan
2009-11-05 22:46 . 2009-11-05 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-29 05:38 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-10-25 07:12 . 2009-10-25 07:09 18527244 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.2-win32.exe
2009-10-25 07:12 . 2009-10-25 07:09 18527244 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.2-win32.exe
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 04:38 . 2009-08-13 22:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-25 05:37 . 2009-07-22 01:55 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-21 22:59 . 2009-10-10 21:26 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\jpr6B.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\rjúpa ----
2009-11-18 05:14 . 2009-11-18 05:15 26624 --sha-w- c:\rjúpa\Thumbs.db
2009-11-15 20:03 . 2009-11-18 05:13 597161 ----a-w- c:\rjúpa\rjúpa 008.jpg
2009-11-15 20:02 . 2009-11-18 05:13 585427 ----a-w- c:\rjúpa\rjúpa 007.jpg
2009-11-14 21:27 . 2009-11-18 05:13 1146526 ----a-w- c:\rjúpa\rjúpa 006.jpg
2009-11-14 21:26 . 2009-11-18 05:13 961713 ----a-w- c:\rjúpa\rjúpa 005.jpg
2009-11-14 21:26 . 2009-11-18 05:13 1313410 ----a-w- c:\rjúpa\rjúpa 004.jpg
2009-11-14 07:18 . 2009-11-18 05:13 972198 ----a-w- c:\rjúpa\rjúpa 003.jpg
2009-11-14 07:18 . 2009-11-18 05:13 1059424 ----a-w- c:\rjúpa\rjúpa 002.jpg
2009-11-14 07:16 . 2009-11-18 05:13 1087563 ----a-w- c:\rjúpa\rjúpa 001.jpg
(((((((((((((((((((((((((((((
SnapShot@2009-12-12_09.17.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-12 10:01 . 2009-12-12 10:01 16384 c:\windows\Temp\Perflib_Perfdata_5e0.dat
+ 2009-12-12 09:55 . 2009-12-12 09:55 16384 c:\windows\Temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/9/2009 4:59 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/9/2009 4:59 AM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [7/13/2009 2:30 AM 54752]
S2 gupdate1ca094a890c6040;Google Update Service (gupdate1ca094a890c6040);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 6:58 AM 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
.
------- Supplementary Scan -------
.
mStart Page =
hxxp://www.yahoo.comuSearchURL,(Default) =
hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%sIE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspxIE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?745b90a1a6e04762926450c30aaa9d81
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?745b90a1a6e04762926450c30aaa9d81
FF - ProfilePath - c:\documents and settings\krissi\Application Data\Mozilla\Firefox\Profiles\lce5cyzc.default\
FF - prefs.js: browser.startup.homepage -
hxxp://visir.is/section/FRONTPAGEFF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\krissi\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-12-12 02:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xBAC1264C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba630bb0
PacketIndicateHandler -> NDIS.sys @ 0xba63da21
SendHandler -> NDIS.sys @ 0xba61b87b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(1008)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-12-12 02:03:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-12 10:03
ComboFix2.txt 2009-12-12 09:18
Pre-Run: 47,095,898,112 bytes free
Post-Run: 47,000,252,416 bytes free
- - End Of File - - CA4D0FB9D0202FA692329065D7105FC4