ComboFix 10-07-07.01 - Lela han 07/08/2010 0:54.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1013.682 [GMT -5:00]
Running from: c:\documents and settings\Lela han\Desktop\commy.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Lela han\Application Data\02000000795987b9922C.manifest
c:\documents and settings\Lela han\Application Data\02000000795987b9922O.manifest
c:\documents and settings\Lela han\Application Data\02000000795987b9922P.manifest
c:\documents and settings\Lela han\Application Data\02000000795987b9922S.manifest
c:\documents and settings\Lela han\Application Data\SystemProc
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}\chrome.manifest
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}\chrome\content\_cfg.js
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}\chrome\content\overlay.xul
c:\documents and settings\Lela han\Local Settings\Application Data\{51B19E62-1F34-462B-A9A1-533931A5DACF}\install.rdf
c:\documents and settings\Lela han\nah_log.dat
Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.
2010-07-06 22:22 . 2010-07-06 22:22 -------- d-----w- C:\_OTL
2010-07-03 02:18 . 2010-07-03 02:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\Lela han\Application Data\acccore
2010-06-26 17:50 . 2010-06-26 17:57 -------- d-----w- c:\documents and settings\Lela han\Local Settings\Application Data\AIM
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\Lela han\Local Settings\Application Data\AOL
2010-06-26 17:50 . 2010-06-26 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\AIM
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-26 17:49 . 2010-06-26 17:49 -------- d-----w- c:\program files\Common Files\AOL
2010-06-24 09:52 . 2010-06-24 18:06 -------- d-----w- c:\program files\NOS
2010-06-24 05:57 . 2010-06-24 05:57 -------- d-----w- c:\program files\Common Files\DirectX
2010-06-23 03:42 . 2010-06-23 03:42 -------- d-----w- C:\AeriaGames
2010-06-21 06:19 . 2010-07-08 06:00 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-11 02:59 . 2010-06-11 02:59 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-06-11 02:59 . 2010-06-11 02:59 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-06-11 02:59 . 2010-06-11 02:59 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-06-11 02:59 . 2010-06-11 02:59 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-06-11 02:59 . 2010-06-11 02:59 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-06-11 02:59 . 2010-06-11 02:59 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-06-11 02:59 . 2010-06-11 02:59 -------- d-----w- C:\Nexon
2010-06-11 02:59 . 2010-06-11 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 08:03 . 2010-05-12 23:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 18:07 . 2010-02-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-11 02:59 . 2010-06-07 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-06-07 04:23 . 2010-01-31 03:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 04:14 . 2010-06-07 04:14 -------- d-----w- c:\program files\gpotato
2010-06-04 01:38 . 2010-06-01 03:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-31 07:42 . 2010-05-31 07:42 -------- d-----w- c:\program files\Pando Networks
2010-05-31 07:41 . 2010-05-11 23:54 -------- d-----w- c:\program files\OGPlanet
2010-05-19 20:09 . 2010-05-19 20:09 -------- d-----w- c:\documents and settings\Lela han\Application Data\Babylon
2010-05-19 20:09 . 2010-05-19 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-05-12 23:56 . 2010-05-12 23:56 552 ----a-w- c:\windows\system32\d3d8caps.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-31 39408]
"Aim"="c:\program files\AIM\aim.exe" [2010-05-21 3824472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-17 138008]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Otaku Mascot.lnk - c:\program files\Accursed Toys\Otaku Mascot\Mascot.exe [2010-2-4 720896]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=
"c:\\Documents and Settings\\Lela han\\My Documents\\Downloads\\FantasyEarthZeroDownloader_2010-04-14.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56873:TCP"= 56873:TCP:Pando Media Booster
"56873:UDP"= 56873:UDP:Pando Media Booster
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 12:31 AM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 10:49 PM 135664]
S3 isadeep;isadeep;\??\c:\windows\system32\isadeep.sys --> c:\windows\system32\isadeep.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 03:49]
2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 03:49]
2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{2CAE369E-F432-4CBA-9A9B-6017C9A83AEC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Lela han\Application Data\Mozilla\Firefox\Profiles\6zmlha81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 01:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4088)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-07-08 01:02:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 06:02
Pre-Run: 219,263,918,080 bytes free
Post-Run: 219,190,239,232 bytes free
- - End Of File - - ACCDBC082B10802C9BB2C3742A4A208F