((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-03 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-03 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-03 134656]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-03 949376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-30 1213320]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2009-03-31 2277232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 c:\windows\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Kimina\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"GreyMSIAds"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Family Tree Maker 2009\\FTM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2009-03-31 115056]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-03 15424]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-27 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-27 15504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015fc16c-09fb-11de-b244-806d6172696f}]
\Shell\AutoRun\command - F:\monsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f1c4bc2-1a54-11de-9a3b-001cc0755738}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ec9e34-f4cf-11dd-8da3-001cc0755738}]
\Shell\AutoRun\command - K:\WDSetup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]
2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-839522115-1004.job
- c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-07 17:38]
2009-04-05 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]
2009-04-06 c:\windows\Tasks\Malwarebytes' Scheduled Update for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/internet/mybigpond/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7} = 61.9.211.33,61.9.211.1
FF - ProfilePath - c:\documents and settings\Kimina\Application Data\Mozilla\Firefox\Profiles\aba8c5y6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/internet/mybigpond/
FF - plugin: c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
---- FIREFOX POLICIES ----
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 02:21:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ESET\nod32krn.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-04-07 2:22:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 16:22:33
ComboFix2.txt 2009-04-06 15:44:35
ComboFix3.txt 2009-04-05 02:59:48
Pre-Run: 180,593,336,320 bytes free
Post-Run: 180,576,178,176 bytes free
322 --- E O F --- 2009-03-20 00:13:17
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-03 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-03 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-03 134656]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-02-03 949376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-03-30 1213320]
"AntiLogger"="c:\program files\AntiLogger\AntiLogger.exe" [2009-03-31 2277232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-09 c:\windows\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Kimina\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"GreyMSIAds"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Family Tree Maker 2009\\FTM.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
R1 AntiLog32;AntiLog32;c:\program files\AntiLogger\AntiLog32.sys [2009-03-31 115056]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-02-03 15424]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-03-27 179856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-03-27 15504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015fc16c-09fb-11de-b244-806d6172696f}]
\Shell\AutoRun\command - F:\monsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f1c4bc2-1a54-11de-9a3b-001cc0755738}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0ec9e34-f4cf-11dd-8da3-001cc0755738}]
\Shell\AutoRun\command - K:\WDSetup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]
2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2052111302-839522115-1004.job
- c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-07 17:38]
2009-04-05 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]
2009-04-06 c:\windows\Tasks\Malwarebytes' Scheduled Update for Kimina.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-03-26 16:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/internet/mybigpond/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E1C2CA2F-B009-43DB-AAEB-3433D7E8F1E7} = 61.9.211.33,61.9.211.1
FF - ProfilePath - c:\documents and settings\Kimina\Application Data\Mozilla\Firefox\Profiles\aba8c5y6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bigpond.com/internet/mybigpond/
FF - plugin: c:\documents and settings\Kimina\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
---- FIREFOX POLICIES ----
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 02:21:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ESET\nod32krn.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-04-07 2:22:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 16:22:33
ComboFix2.txt 2009-04-06 15:44:35
ComboFix3.txt 2009-04-05 02:59:48
Pre-Run: 180,593,336,320 bytes free
Post-Run: 180,576,178,176 bytes free
322 --- E O F --- 2009-03-20 00:13:17