ComboFix 11-07-15.01 - random 15/07/2011 20:55:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1745 [GMT 10:00]
Running from: d:\documents and settings\random\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\windows\$NtUninstallKB55368$
d:\windows\$NtUninstallKB55368$\1577496198
d:\windows\$NtUninstallKB55368$\2310319619\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
d:\windows\$NtUninstallKB55368$\2310319619\click.tlb
d:\windows\$NtUninstallKB55368$\2310319619\L\eteqleod
d:\windows\$NtUninstallKB55368$\2310319619\loader.tlb
d:\windows\$NtUninstallKB55368$\2310319619\U\@00000001
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000c0
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000cb
d:\windows\$NtUninstallKB55368$\2310319619\U\@000000cf
d:\windows\$NtUninstallKB55368$\2310319619\U\@80000000
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000c0
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000cb
d:\windows\$NtUninstallKB55368$\2310319619\U\@800000cf
d:\windows\system32\c_86730.nls
d:\windows\system32\drivers\1292681928.sys
.
Infected copy of d:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it
Infected copy of d:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - d:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1292681928
.
.
((((((((((((((((((((((((( Files Created from 2011-06-15 to 2011-07-15 )))))))))))))))))))))))))))))))
.
.
2011-07-15 00:59 . 2011-07-06 09:52 41272 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-07-15 00:59 . 2011-07-06 09:52 22712 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-07-13 01:01 . 2011-07-15 01:19 -------- d-----w- d:\documents and settings\random
2011-07-12 11:43 . 2011-07-12 11:43 -------- d--h--w- d:\windows\PIF
2011-07-12 11:29 . 2011-07-12 11:29 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-12 11:29 . 2011-07-15 01:44 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-07-12 05:57 . 2011-07-12 05:57 -------- d-----w- d:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
2011-07-12 05:37 . 2011-07-12 05:37 -------- d--h--w- d:\documents and settings\All Users\Application Data\Common Files
2011-07-12 04:45 . 2011-07-12 06:02 -------- d-----w- d:\documents and settings\All Users\Application Data\MFAData
2011-07-11 18:26 . 2011-07-11 18:43 -------- d--h--w- d:\windows\msdownld.tmp
2011-07-11 16:39 . 2011-07-11 16:39 -------- d-----w- d:\program files\Atari
2011-07-06 05:26 . 2011-07-06 05:26 -------- d-----w- d:\program files\Realtek
2011-07-06 05:26 . 2009-04-16 07:23 540672 ----a-w- d:\windows\RtlExUpd.dll
2011-07-06 05:26 . 2006-02-07 05:45 757760 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-07-06 05:26 . 2006-02-07 05:40 204800 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-07-06 05:26 . 2006-02-07 05:40 69715 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-07-06 05:26 . 2006-02-07 05:40 274432 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-07-06 05:26 . 2006-02-07 05:39 32768 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-07-06 05:26 . 2005-11-13 13:19 5632 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-07-06 05:26 . 2011-07-06 05:26 331908 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-07-06 05:26 . 2011-07-06 05:26 200836 ----a-w- d:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-07-03 00:44 . 2011-07-03 00:44 -------- d-----w- d:\documents and settings\All Users\Application Data\LAG
2011-07-03 00:44 . 2011-07-03 00:44 -------- d-----w- d:\windows\11AE680750D24F5982B32C3E695E94C2.TMP
2011-06-26 02:45 . 2011-06-26 02:45 -------- d-----w- d:\windows\system32\XPSViewer
2011-06-26 02:45 . 2011-06-26 02:45 -------- d-----w- d:\program files\MSBuild
2011-06-26 02:45 . 2008-07-06 12:06 89088 ----a-w- d:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-26 02:44 . 2011-06-26 02:45 -------- d-----w- D:\b4936c66d421da6b80beeff0a1
2011-06-26 02:44 . 2008-07-06 12:06 89088 -c----w- d:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-06-26 02:44 . 2008-07-06 12:06 575488 -c----w- d:\windows\system32\dllcache\xpsshhdr.dll
2011-06-26 02:44 . 2008-07-06 12:06 575488 ------w- d:\windows\system32\xpsshhdr.dll
2011-06-26 02:44 . 2008-07-06 12:06 1676288 -c----w- d:\windows\system32\dllcache\xpssvcs.dll
2011-06-26 02:44 . 2008-07-06 12:06 1676288 ------w- d:\windows\system32\xpssvcs.dll
2011-06-26 02:44 . 2008-07-06 12:06 117760 ------w- d:\windows\system32\prntvpt.dll
2011-06-26 02:44 . 2008-07-06 10:50 597504 -c----w- d:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-06-26 02:44 . 2008-07-06 10:50 597504 ------w- d:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-06-23 00:30 . 2011-06-23 00:30 -------- d-----w- d:\program files\Pando Networks
2011-06-23 00:30 . 2011-06-25 20:43 -------- d-----w- d:\program files\GamersFirst
2011-06-21 01:39 . 2011-06-21 01:39 -------- d-----w- d:\documents and settings\UpdatusUser
2011-06-21 01:39 . 2011-06-21 01:39 -------- d-----w- d:\documents and settings\All Users\Application Data\NVIDIA
2011-06-21 01:39 . 2011-05-25 06:09 899688 ----a-w- d:\windows\system32\nvdispco3220150.dll
2011-06-21 01:39 . 2011-05-25 06:09 865896 ----a-w- d:\windows\system32\nvgenco322090.dll
2011-06-15 21:58 . 2011-06-15 21:59 -------- d-----w- d:\program files\bus driver 2
2011-06-15 21:48 . 2011-06-15 21:48 -------- d-----w- d:\program files\bus driver
2011-06-15 20:05 . 2011-06-15 20:05 -------- d-----w- d:\program files\18 wheels alh
2011-06-15 19:44 . 2011-06-15 19:44 -------- d-----w- d:\program files\18 wheels america long haul
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 02:13 . 2011-03-26 14:14 141200 ----a-w- d:\windows\system32\drivers\PnkBstrK.sys
2011-06-30 02:13 . 2011-05-17 19:37 281656 ----a-w- d:\windows\system32\PnkBstrB.xtr
2011-06-30 02:13 . 2011-03-26 14:14 281656 ----a-w- d:\windows\system32\PnkBstrB.exe
2011-06-28 06:07 . 2011-03-26 14:14 281656 ----a-w- d:\windows\system32\PnkBstrB.ex0
2011-06-27 00:07 . 2011-03-26 14:14 90112 ----a-w- d:\windows\system32\PnkBstrA.exe
2011-05-25 06:09 . 2011-01-07 09:56 54272 ----a-w- d:\windows\system32\nvwddi.dll
2011-05-25 06:09 . 2011-01-07 09:56 154728 ----a-w- d:\windows\system32\nvsvc32.exe
2011-05-25 06:09 . 2011-01-07 09:56 111208 ----a-w- d:\windows\system32\nvmctray.dll
2011-05-25 06:09 . 2011-01-07 09:56 13895272 ----a-w- d:\windows\system32\nvcpl.dll
2011-05-25 06:09 . 2011-03-27 13:31 61440 ----a-w- d:\windows\system32\OpenCL.dll
2011-05-25 06:09 . 2011-03-27 13:31 2808936 ----a-w- d:\windows\system32\nvcuvid.dll
2011-05-25 06:09 . 2011-03-27 13:31 2082408 ----a-w- d:\windows\system32\nvcuvenc.dll
2011-05-25 06:09 . 2011-01-07 09:56 543336 ----a-w- d:\windows\system32\easyUpdatusAPIU.dll
2011-05-25 06:09 . 2011-01-07 09:56 145000 ----a-w- d:\windows\system32\nvcolor.exe
2011-05-25 06:09 . 2007-09-16 21:07 16068608 ----a-w- d:\windows\system32\nvoglnt.dll
2011-05-25 06:09 . 2011-03-27 13:31 5332992 ----a-w- d:\windows\system32\nvcuda.dll
2011-05-25 06:09 . 2011-03-27 13:31 13004800 ----a-w- d:\windows\system32\nvcompiler.dll
2011-05-25 06:09 . 2010-12-20 06:26 12753664 ----a-w- d:\windows\system32\drivers\nv4_mini.sys
2011-05-25 06:09 . 2010-12-20 06:26 4198272 ----a-w- d:\windows\system32\nv4_disp.dll
2011-05-25 06:09 . 2007-09-16 21:07 2328576 ----a-w- d:\windows\system32\nvapi.dll
2011-05-19 17:26 . 2011-05-19 17:26 218688 ----a-w- d:\windows\system32\drivers\dtsoftbus01.sys
2011-04-14 16:26 . 2011-04-30 03:18 142296 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"nwiz"="d:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"Malwarebytes' Anti-Malware"="c:\malwarebytes' anti-malware\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\System32\CTFMON.EXE" [2008-02-12 15360]
.
d:\documents and settings\All Users\Start Menu\Programs\Startup\
GamersFirst LIVE!.lnk - d:\program files\GamersFirst\LIVE!\Live.exe [2011-7-1 2588784]
WinZip Quick Pick.lnk - d:\program files\WinZip\WZQKPICK.EXE [2009-5-11 525640]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\Launcher.patch.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\Launcher.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"d:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"d:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\OldHDD\\Games\\World of Warcraft\\BackgroundDownloader.exe"=
"d:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"d:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"d:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\E40RNECG.WZN\\74EYHCYL.E38\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=
"d:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\APB.exe"=
"d:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\VivoxVoiceService.exe"=
"c:\\steam\\Steam.exe"=
"d:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57118:TCP"= 57118:TCP:Pando Media Booster
"57118:UDP"= 57118:UDP:Pando Media Booster
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;d:\windows\system32\drivers\dtsoftbus01.sys [5/20/2011 3:26 AM 218688]
R2 MBAMService;MBAMService;c:\malwarebytes' anti-malware\Malwarebytes' Anti-Malware\mbamservice.exe [7/15/2011 10:59 AM 366640]
R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/21/2011 11:39 AM 2214504]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [7/15/2011 10:59 AM 22712]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [2/20/2011 11:34 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);d:\program files\Google\Update\GoogleUpdate.exe [2/20/2011 11:34 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2011-02-20 13:34]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2011-02-20 13:34]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-1006Core.job
- d:\documents and settings\random\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-14 05:44]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-1006UA.job
- d:\documents and settings\random\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-14 05:44]
.
2011-07-14 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-500Core.job
- d:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 05:44]
.
2011-07-15 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1425521274-839522115-500UA.job
- d:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 05:44]
.
.
------- Supplementary Scan -------
.
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\documents and settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 10.0.0.138
DPF: DirectAnimation Java Classes -
file://d:\windows\Java\classes\dajava.cabDPF: Microsoft XML Parser for Java -
file://d:\windows\Java\classes\xmldso.cabFF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - d:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-07-15 21:02
Windows 5.1.2600 Service Pack 3, v.3311 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.netWindows 5.1.2600 Disk: Hitachi_ rev.P21O -> Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,2b,ad,14,d9,ed,67,4a,96,67,62,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,2b,ad,14,d9,ed,67,4a,96,67,62,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2532)
d:\windows\system32\ieframe.dll
d:\windows\system32\dot3dlg.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\RunDLL32.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\PnkBstrA.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2011-07-15 21:04:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-15 11:04
.
Pre-Run: 68,880,560,128 bytes free
Post-Run: 68,955,217,920 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - C266903FC1F39D86BBF6447F3F6DA247