part 4:
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.
2010-03-19 23:14 . 2010-03-19 23:15 -------- d-----w- c:\documents and settings\Buff\Local Settings\Application Data\Temp
2010-03-16 17:23 . 2010-03-16 17:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-15 03:31 . 2010-03-15 03:31 -------- d-----w- c:\windows\system32\Fonts
2010-02-25 16:09 . 2010-02-25 16:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 19:09 . 2006-12-12 15:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-20 19:05 . 2009-10-31 02:47 -------- d-----w- c:\program files\Spyware Doctor
2010-03-20 19:05 . 2005-06-19 15:32 17242 ----a-w- c:\windows\system32\tablet.dat
2010-02-11 01:55 . 2010-02-11 01:55 50354 ----a-w- c:\documents and settings\Buff\Application Data\Facebook\uninstall.exe
2010-02-11 01:55 . 2010-02-11 01:55 -------- d-----w- c:\documents and settings\Buff\Application Data\Facebook
2010-02-07 17:04 . 2004-08-14 21:51 -------- d-----w- c:\program files\Google
2010-02-07 17:01 . 2009-12-05 17:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Buff\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Buff\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-29 22:35 . 2010-01-29 22:35 64688 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-21 23:21 . 2009-10-31 02:55 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 23:21 . 2009-10-31 02:55 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 23:21 . 2009-10-31 02:55 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 23:21 . 2009-10-31 02:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-20 23:02 . 2009-03-19 22:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-09 02:12 . 2004-09-04 17:00 78064 -c--a-w- c:\documents and settings\Buff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 15:18 . 2010-01-07 15:14 79488 ----a-w- c:\documents and settings\Buff\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-07 15:15 . 2010-01-07 15:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-07 15:15 . 2010-01-07 15:15 152576 ----a-w- c:\documents and settings\Buff\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-05 10:00 . 2004-02-07 02:05 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-09-04 16:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-03 23:27 . 2010-01-09 17:24 303280 -c--a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2009-12-31 16:50 . 2008-11-15 20:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 16:52 . 2008-05-01 06:20 2341 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2007-05-19 02:39 . 2006-11-18 17:16 848 -csha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\\SmartDoctor.exe" [2003-05-20 729088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-10-14 3217368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IMONTRAY"="c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-11-03 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"nwiz"="nwiz.exe" [2003-05-02 323584]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"HostManager"="c:\program files\Common Files\AOL\1134844876\ee\AOLSoftware.exe" [2008-06-24 41824]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-07 149280]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="e:\itunes storage\iTunesHelper.exe" [2009-11-13 141600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-9 113664]
Adobe Gamma Loader.lnk - c:\fonts\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-13 113664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2005-6-19 77824]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134844876\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI CD-Maker\\LiveUpdate.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134844876\\EE\\aolsoftware.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"e:\\more utils\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Logitech\\MouseWare\\system\\EM_EXEC.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Itunes storage\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/3/2009 8:17 AM 207792]
R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [8/9/2004 12:05 AM 233280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [10/30/2009 7:55 PM 112592]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [10/28/2009 6:13 PM 632792]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/3/2009 8:17 AM 359624]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 10:04 AM 135664]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
2010-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:04]
2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:04]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Buff\Application Data\Mozilla\Firefox\Profiles\c8p4awzl.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://www.mckinleyink.com
FF - component: c:\documents and settings\Buff\Application Data\Mozilla\Firefox\Profiles\c8p4awzl.Default User\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Buff\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: e:\itunes storage\Mozilla Plugins\npitunes.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 12:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\tabhook.dll
- - - - - - - > 'explorer.exe'(1904)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\tabhook.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\Tablet.exe
c:\windows\wanmpsvc.exe
c:\program files\Intel\Intel(R) Active Monitor\imonnt.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\ASUS\SmartDoctor\SmartDoctor.exe
c:\windows\System32\MDM.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-20 12:14:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-20 19:14
ComboFix2.txt 2010-02-10 04:03
ComboFix3.txt 2009-12-05 20:19
Pre-Run: 3,793,035,264 bytes free
Post-Run: 3,851,829,248 bytes free
- - End Of File - - F4BF79BC4A6CD2FAAFB952EC6CE0E03C