ComboFix 12-01-23.02 - Owner 01/24/2012 17:26:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.410 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\Owner\Application Data\Toolbar4
c:\documents and settings\Owner\Local Settings\Application Data\Minibar
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\background.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\cached_http_request.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\extension_info.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon128.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon19.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon32.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon48.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_kango.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_messaging.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_userscript.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango-ui\button.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango-ui\ui.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\browser.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\console.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\event_listener.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\initialize.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\io.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\jsonstorage.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\kango.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\lang.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\messaging.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\userscript_engine.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\xhr.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\main.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\manifest.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\actions.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\cachedxhr.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\config.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\macros.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\minibar.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\popup.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\popup.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\tab.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\tab.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome_installer.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\common.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\install.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\minibar.crx
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\sqlite3.exe
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\Uninstall.exe
c:\documents and settings\Owner\Recent\Thumbs.db
c:\documents and settings\Owner\WINDOWS
c:\documents and settings\PC-4\WINDOWS
c:\windows\start.exe
c:\windows\system32.exe
c:\windows\system32\28463
c:\windows\system32\ijl11.dll
c:\windows\system32\Temp
c:\windows\system32\UNWISE.EXE
c:\windows\XSxS
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-21 09:14 . 2012-01-21 09:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PopCapv1005
2012-01-16 04:51 . 2012-01-16 04:52 -------- d-----w- c:\program files\mass effect
2012-01-16 04:16 . 2012-01-16 04:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\IsolatedStorage
2012-01-14 20:56 . 2012-01-14 20:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2012-01-14 20:55 . 2012-01-14 20:55 -------- d-----w- c:\program files\NCH Software
2012-01-14 20:53 . 2012-01-14 20:53 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Software
2012-01-06 06:29 . 2012-01-06 06:29 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJEPPEX
2012-01-02 09:56 . 2001-08-17 14:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-01-02 09:56 . 2004-08-03 16:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-31 02:29 . 2011-12-31 02:29 -------- d-----w- C:\IGG
2011-12-31 02:29 . 2011-12-31 02:29 -------- d-----w- c:\documents and settings\Owner\Application Data\IGG
2011-12-30 13:16 . 2011-12-30 13:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2011-12-27 12:32 . 2011-12-28 13:22 417440 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-12-27 11:58 . 2012-01-10 21:05 -------- d-----w- c:\documents and settings\Owner\Application Data\DMCache
2011-12-27 10:21 . 2011-12-27 10:21 -------- d-----w- C:\eula
2011-12-27 02:14 . 2011-12-27 02:28 -------- d-----w- C:\Downloads
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 13:22 . 2011-08-17 21:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-01 14:03 . 2011-12-01 14:03 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-22 09:14 . 2011-11-16 04:20 225280 ----a-w- c:\windows\system32\npeuiocell.dll
2011-11-16 04:20 . 2011-11-16 04:20 208896 ----a-w- c:\windows\system32\npeauth.dll
2011-11-16 04:20 . 2011-11-16 04:20 151552 ----a-w- c:\windows\system32\npeudelself.exe
2011-11-11 15:44 . 2011-08-18 11:15 40832 ----a-w- c:\windows\system32\drivers\Yonline.ahc
2011-10-28 02:43 . 2011-11-09 02:55 150 ----a-w- c:\windows\Crack.reg
2012-01-22 01:34 . 2011-12-27 12:32 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2006-02-28 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2006-02-28 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2011-08-17 . 6E8CA4FCB30282F216F5DB9DD58A5F81 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTo2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-08-18 281768]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 10:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 09:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-04-28 09:14 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\e-Games\\PointblankPH\\PointBlank.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\GameClub\\Philippines\\SpecialForce\\specialforce.exe"=
"d:\\Program Files\\Garena Classic\\Garena.exe"=
"c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlashGet3.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DFIGames\\Dragonfly\\Special Force PH\\SpecialForce.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/1/2011 10:03 PM 685816]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [8/18/2011 4:51 AM 13696]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/18/2011 5:08 AM 136360]
R2 Yonline;Yonline;c:\windows\system32\drivers\Yonline.ahc [8/18/2011 7:15 PM 40832]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [10/27/2010 6:23 PM 1483072]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [12/27/2011 8:32 PM 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/18/2011 4:54 AM 1684736]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\d:\program files\Garena Classic\safedrv.sys --> d:\program files\Garena Classic\safedrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
S3 XDva390;XDva390;\??\c:\windows\system32\XDva390.sys --> c:\windows\system32\XDva390.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-27 13:22]
.
2012-01-17 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2012-01-14 18:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.tune-up.com/link/?target=installhelp&errorcode=0&action=1&tu_ighash=3-p4Og3vTN-g6Db10-dRsQ~~&tu_product=tuu2011&tu_version=10.0.2011.65&tu_lang=en-US&os_ver=5.1.2600&os_sp=2.0&os_suite=768&os_x64=0&os_syslang=en-US&os_userlang=en-US&os_id=1&os_usercountry=US
IE: Download all by FlashGet3 - c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 121.1.3.82 121.1.3.20
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\csrjd501.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-System32 - c:\windows\System32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 17:30
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Yonline]
"ImagePath"="\??\c:\windows\system32\drivers\Yonline.ahc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):58,dd,57,b8,80,dd,3b,23,f8,41,12,c5,2d,88,19,86,4c,4d,95,24,c3,
86,61,bd,1b,bf,44,58,b1,fa,2c,a4,12,16,a9,d9,68,07,88,7c,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{846287ce-1022-4595-8337-67e6beb862b9}]
@Denied: (Full) (Everyone)
"Model"=dword:00000009
"Therad"=dword:00000008
.
Completion time: 2012-01-24 17:31:46
ComboFix-quarantined-files.txt 2012-01-24 09:31
.
Pre-Run: 42,708,258,816 bytes free
Post-Run: 43,955,462,144 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 52844B0EF7A35B02E6C20B73C1DE5C88
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.410 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\Owner\Application Data\Toolbar4
c:\documents and settings\Owner\Local Settings\Application Data\Minibar
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\background.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\cached_http_request.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\extension_info.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon128.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon19.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon32.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon48.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_kango.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_messaging.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_userscript.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango-ui\button.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango-ui\ui.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\browser.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\console.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\event_listener.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\initialize.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\io.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\jsonstorage.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\kango.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\lang.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\messaging.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\userscript_engine.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\xhr.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\main.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\manifest.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\actions.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\cachedxhr.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\config.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\macros.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\minibar.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\popup.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\popup.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\tab.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\tab.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome_installer.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\common.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\install.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\minibar.crx
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\sqlite3.exe
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\Uninstall.exe
c:\documents and settings\Owner\Recent\Thumbs.db
c:\documents and settings\Owner\WINDOWS
c:\documents and settings\PC-4\WINDOWS
c:\windows\start.exe
c:\windows\system32.exe
c:\windows\system32\28463
c:\windows\system32\ijl11.dll
c:\windows\system32\Temp
c:\windows\system32\UNWISE.EXE
c:\windows\XSxS
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-21 09:14 . 2012-01-21 09:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PopCapv1005
2012-01-16 04:51 . 2012-01-16 04:52 -------- d-----w- c:\program files\mass effect
2012-01-16 04:16 . 2012-01-16 04:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\IsolatedStorage
2012-01-14 20:56 . 2012-01-14 20:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2012-01-14 20:55 . 2012-01-14 20:55 -------- d-----w- c:\program files\NCH Software
2012-01-14 20:53 . 2012-01-14 20:53 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Software
2012-01-06 06:29 . 2012-01-06 06:29 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJEPPEX
2012-01-02 09:56 . 2001-08-17 14:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-01-02 09:56 . 2004-08-03 16:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-31 02:29 . 2011-12-31 02:29 -------- d-----w- C:\IGG
2011-12-31 02:29 . 2011-12-31 02:29 -------- d-----w- c:\documents and settings\Owner\Application Data\IGG
2011-12-30 13:16 . 2011-12-30 13:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2011-12-27 12:32 . 2011-12-28 13:22 417440 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-12-27 11:58 . 2012-01-10 21:05 -------- d-----w- c:\documents and settings\Owner\Application Data\DMCache
2011-12-27 10:21 . 2011-12-27 10:21 -------- d-----w- C:\eula
2011-12-27 02:14 . 2011-12-27 02:28 -------- d-----w- C:\Downloads
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 13:22 . 2011-08-17 21:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-01 14:03 . 2011-12-01 14:03 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-22 09:14 . 2011-11-16 04:20 225280 ----a-w- c:\windows\system32\npeuiocell.dll
2011-11-16 04:20 . 2011-11-16 04:20 208896 ----a-w- c:\windows\system32\npeauth.dll
2011-11-16 04:20 . 2011-11-16 04:20 151552 ----a-w- c:\windows\system32\npeudelself.exe
2011-11-11 15:44 . 2011-08-18 11:15 40832 ----a-w- c:\windows\system32\drivers\Yonline.ahc
2011-10-28 02:43 . 2011-11-09 02:55 150 ----a-w- c:\windows\Crack.reg
2012-01-22 01:34 . 2011-12-27 12:32 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2006-02-28 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2006-02-28 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2011-08-17 . 6E8CA4FCB30282F216F5DB9DD58A5F81 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTo2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-08-18 281768]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 10:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 09:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-04-28 09:14 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\e-Games\\PointblankPH\\PointBlank.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\GameClub\\Philippines\\SpecialForce\\specialforce.exe"=
"d:\\Program Files\\Garena Classic\\Garena.exe"=
"c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlashGet3.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DFIGames\\Dragonfly\\Special Force PH\\SpecialForce.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/1/2011 10:03 PM 685816]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [8/18/2011 4:51 AM 13696]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/18/2011 5:08 AM 136360]
R2 Yonline;Yonline;c:\windows\system32\drivers\Yonline.ahc [8/18/2011 7:15 PM 40832]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [10/27/2010 6:23 PM 1483072]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [12/27/2011 8:32 PM 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/18/2011 4:54 AM 1684736]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\d:\program files\Garena Classic\safedrv.sys --> d:\program files\Garena Classic\safedrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
S3 XDva390;XDva390;\??\c:\windows\system32\XDva390.sys --> c:\windows\system32\XDva390.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-27 13:22]
.
2012-01-17 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2012-01-14 18:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.tune-up.com/link/?target=installhelp&errorcode=0&action=1&tu_ighash=3-p4Og3vTN-g6Db10-dRsQ~~&tu_product=tuu2011&tu_version=10.0.2011.65&tu_lang=en-US&os_ver=5.1.2600&os_sp=2.0&os_suite=768&os_x64=0&os_syslang=en-US&os_userlang=en-US&os_id=1&os_usercountry=US
IE: Download all by FlashGet3 - c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 121.1.3.82 121.1.3.20
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\csrjd501.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-System32 - c:\windows\System32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 17:30
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Yonline]
"ImagePath"="\??\c:\windows\system32\drivers\Yonline.ahc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):58,dd,57,b8,80,dd,3b,23,f8,41,12,c5,2d,88,19,86,4c,4d,95,24,c3,
86,61,bd,1b,bf,44,58,b1,fa,2c,a4,12,16,a9,d9,68,07,88,7c,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{846287ce-1022-4595-8337-67e6beb862b9}]
@Denied: (Full) (Everyone)
"Model"=dword:00000009
"Therad"=dword:00000008
.
Completion time: 2012-01-24 17:31:46
ComboFix-quarantined-files.txt 2012-01-24 09:31
.
Pre-Run: 42,708,258,816 bytes free
Post-Run: 43,955,462,144 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 52844B0EF7A35B02E6C20B73C1DE5C88