used "%userprofile%\desktop\blackpudding.bat" /killall
from run box
ComboFix 09-11-16.03 - Tom 11/15/2009 21:25.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.521 [GMT -5:00]
Running from: c:\documents and settings\Tom\desktop\blackpudding.bat
Command switches used :: /killall
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ctfmon .exe
.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.
2009-11-15 16:35 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 16:35 . 2009-11-15 16:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 16:35 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-15 06:26 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\exmgci
2009-11-15 06:26 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\chtapt
2009-11-15 05:28 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Application Data\bbabbc
2009-11-15 05:28 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\jedynw
2009-11-15 05:12 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\jfkkwd
2009-11-15 04:56 . 2009-11-15 04:56 389120 ----a-w- c:\windows\system32\CF7635.exe
2009-11-15 04:56 . 2009-11-15 04:54 389120 ----a-w- c:\windows\system32\CF7325.exe
2009-11-15 04:20 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\tcmnep
2009-11-15 04:04 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\kyvpip
2009-11-15 03:51 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\lcfvua
2009-11-15 03:50 . 2009-11-16 02:13 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\xdlotm
2009-11-07 20:48 . 2009-11-14 19:23 79488 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-21 00:43 . 2009-10-21 00:43 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-10-21 00:43 . 2009-10-21 00:43 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 17:12 . 2009-08-25 19:01 -------- d-----w- c:\program files\QuickTime
2009-11-15 07:58 . 2008-03-09 03:35 -------- d-----w- c:\program files\VisualTaskTips
2009-11-15 07:45 . 2009-08-25 19:03 -------- d-----w- c:\program files\iTunes
2009-11-15 07:45 . 2008-03-10 04:21 -------- d-----w- c:\program files\IconLock
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-09 23:34 . 2009-10-09 23:34 -------- d-----w- c:\documents and settings\Tom\Application Data\Office Genuine Advantage
2009-10-01 01:55 . 2008-06-22 04:10 -------- d-----w- c:\program files\Windows Live
2009-10-01 01:48 . 2008-11-15 21:07 27152 ----a-w- c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 21:29 . 2009-09-29 21:29 -------- d-----w- c:\program files\Google
2009-09-24 23:44 . 2009-09-24 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-24 23:42 . 2009-09-24 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-24 23:41 . 2008-03-10 03:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-24 23:41 . 2009-09-24 23:41 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-09-24 23:37 . 2009-09-24 23:37 -------- d-----w- c:\windows\Fonts\Fonts
2009-09-24 23:35 . 2009-09-24 23:35 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-09-24 23:35 . 2009-09-24 23:35 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-24 23:35 . 2009-09-24 23:35 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-24 23:35 . 2009-09-24 23:35 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-24 23:35 . 2009-09-24 23:35 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-24 23:35 . 2009-09-24 23:35 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-11 14:18 . 2004-08-03 23:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-03 23:56 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-03 23:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-03 23:56 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-03 23:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:57 . 2009-08-25 18:57 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-20 19:09 . 2009-08-20 19:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
.
------- Sigcheck -------
[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\MsPMSNSv.dll
[-] 2005-01-28 17:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\system32\dllcache\mspmsnsv.dll
[-] 2004-08-03 23:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-11-15_06.42.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 02:30 . 2009-11-16 02:30 16384 c:\windows\temp\Perflib_Perfdata_65c.dat
- 2009-11-15 02:00 . 2009-11-15 02:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-15 02:00 . 2009-11-15 18:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-09 03:19 . 2009-11-15 18:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-09 03:19 . 2009-11-15 02:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-15 18:34 . 2009-11-15 18:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-03-09 03:19 . 2009-11-15 02:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StatBar"="c:\program files\Globe Software\StatBar\StatBar.exe" [2003-07-25 335872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-21 520024]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]
c:\documents and settings\Tom\Start Menu\Programs\Startup\
3DO Registration.lnk - c:\program files\3DO\Heroes3\Register\Remind32.exe [2008-9-26 67584]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-15 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
taskmanager.lnk - c:\windows\system32\taskmgr.exe [2004-8-3 135680]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/21/2009 6:18 AM 64160]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/3/2009 2:59 PM 108289]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/7/2009 1:35 AM 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 1:12 PM 693512]
R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [12/21/2004 3:16 PM 141990]
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [3/16/2008 11:02 AM 79616]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 1:12 PM 910600]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-08-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 00:43]
2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-11-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
2009-11-15 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-03 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Search Current News -
file://\program files\powershell-xp3\search5.htm
IE: Search Encyclopedia -
file://\program files\powershell-xp3\search4.htm
IE: Search for Images -
file://\program files\powershell-xp3\search3.htm
IE: Search Newsgroups -
file://\program files\powershell-xp3\search2.htm
IE: Search the Web -
file://\program files\powershell-xp3\search.htm
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-VisualTaskTips - c:\program files\VisualTaskTips\VisualTaskTips.exe
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-11-15 21:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1380)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\WgaTray.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-11-15 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-16 02:34
ComboFix2.txt 2009-11-15 06:47
ComboFix3.txt 2009-07-03 19:39
ComboFix4.txt 2009-07-03 19:07
Pre-Run: 39,132,659,712 bytes free
Post-Run: 39,190,134,784 bytes free
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - B3D553E588CE60326D4BAB0FF5658A69