.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 18:44 . 2009-04-08 21:06 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-13 17:18 . 2009-02-12 04:11 -------- d-----w c:\documents and settings\Jack\Application Data\LimeWire
2009-04-13 15:46 . 2009-04-13 15:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 15:43 . 2009-04-13 15:43 22016 --sh--w c:\windows\system32\682F27\nbbr7xp.exe
2009-04-13 04:04 . 2009-04-10 02:25 22016 --sh--w c:\windows\system32\682F27\nbbr6xp.exe
2009-04-12 21:01 . 2009-02-12 23:28 -------- d-----w c:\program files\Garena
2009-04-09 06:23 . 2009-04-07 01:04 22016 --sh--w c:\windows\system32\682F27\nbbrnxp.exe
2009-04-08 21:39 . 2009-04-08 21:32 -------- d-----w c:\program files\Norton 360
2009-04-08 21:34 . 2009-04-08 21:28 -------- d-----w c:\program files\Symantec
2009-04-08 21:33 . 2009-04-08 21:33 -------- d-----w c:\program files\Windows Sidebar
2009-04-08 17:38 . 2009-04-08 16:13 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-04 02:27 . 2009-04-02 17:20 22016 --sh--w c:\windows\system32\682F27\nbirnxp.exe
2009-04-02 05:01 . 2009-03-18 20:50 22016 --sh--w c:\windows\system32\682F27\nmirnxp.exe
2009-04-01 18:18 . 2009-02-12 04:10 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-01 18:18 . 2009-04-01 18:18 -------- d-----w c:\program files\Java
2009-04-01 17:41 . 2009-02-28 01:48 -------- d-----w c:\program files\Firaxis Games
2009-04-01 17:40 . 2009-04-01 17:40 -------- d-----w c:\program files\e-Games
2009-03-31 20:17 . 2009-01-25 21:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 22:41 . 2009-03-23 16:55 20480 --sh--w c:\windows\system32\682F27\nmurnxp.exe
2009-03-27 03:09 . 2009-03-27 03:09 -------- d-----w c:\program files\Common Files\INCA Shared
2009-03-25 05:11 . 2009-03-23 03:47 -------- d-----w c:\program files\DAEMON Tools Pro
2009-03-21 18:13 . 2009-03-21 18:13 -------- d-----w c:\program files\LimeWire
2009-03-21 18:02 . 2009-03-21 18:02 -------- d-----w c:\program files\uTorrent
2009-03-18 02:52 . 2009-03-13 03:13 20992 --sh--w c:\windows\system32\682F27\ntirnxp.exe
2009-03-15 00:03 . 2009-03-11 23:14 -------- d-----w c:\program files\AVS4YOU
2009-03-15 00:03 . 2009-03-11 23:17 -------- d-----w c:\program files\Common Files\AVSMedia
2009-03-13 04:28 . 2009-03-11 23:23 -------- d-----w c:\documents and settings\Jack\Application Data\AVS4YOU
2009-03-13 03:06 . 2009-03-13 03:04 -------- d-----w c:\documents and settings\Jack\Application Data\GetRightToGo
2009-03-13 02:58 . 2009-03-13 02:58 1405294 --sh--r c:\windows\system32\54C76F\18A57B.EXE
2009-03-11 23:22 . 2009-03-11 23:22 -------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-03-11 03:07 . 2004-07-17 15:36 163644 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-02-28 02:26 . 2009-02-28 02:26 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-02-26 13:46 . 2009-02-15 19:55 70864 ----a-w c:\documents and settings\Guest2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-21 02:51 . 2009-01-25 21:07 70864 ----a-w c:\documents and settings\Jack\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-21 02:50 . 2009-02-21 02:50 -------- d-----w c:\program files\Guitar Pro 5
2009-02-15 21:15 . 2009-02-15 20:59 76040 ----a-w c:\windows\system32\drivers\avgtdix.sys.install_backup
2009-02-15 21:15 . 2009-02-15 21:15 12936 ----a-w c:\windows\system32\drivers\avgrkx86.sys.install_backup_1
2009-02-15 21:15 . 2009-02-15 20:59 96520 ----a-w c:\windows\system32\drivers\avgldx86.sys.install_backup
2009-02-15 21:15 . 2009-02-15 20:59 26824 ----a-w c:\windows\system32\drivers\avgmfx86.sys.install_backup
2009-02-15 21:00 . 2009-02-15 21:00 12424 ----a-w c:\windows\system32\drivers\avgrkx86.sys.install_backup
2009-02-15 19:55 . 2009-02-15 19:55 129 ----a-w c:\documents and settings\Guest2\Local Settings\Application Data\fusioncache.dat
2009-02-15 19:55 . 2009-02-15 19:55 -------- d-----w c:\documents and settings\Guest2\Application Data\ATI
2009-02-08 00:21 . 2009-02-08 00:21 30 --sha-r c:\windows\pc-off.bat
2009-01-31 16:17 . 2009-01-25 20:57 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-01-29 03:49 . 2009-03-11 23:14 974848 ----a-w c:\windows\system32\mfc70.dll
2009-01-29 03:49 . 2009-03-11 23:14 487424 ----a-w c:\windows\system32\msvcp70.dll
2009-01-29 03:49 . 2009-03-11 23:14 344064 ----a-w c:\windows\system32\msvcr70.dll
2009-01-29 03:49 . 2009-03-11 23:14 1700352 ----a-w c:\windows\system32\GdiPlus.dll
2009-01-29 03:49 . 2009-03-11 23:14 24576 ----a-w c:\windows\system32\msxml3a.dll
2009-01-25 22:02 . 2009-01-25 22:02 127 ----a-w c:\documents and settings\Jack\Local Settings\Application Data\fusioncache.dat
2009-01-25 21:53 . 2009-01-25 21:52 172 ----a-w C:\Sigmatel
2009-01-25 20:55 . 2009-01-25 20:55 21640 ----a-w c:\windows\system32\emptyregdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"L08AXLRD_1082468"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 57344]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 61440]
"\\Ace\EPSON Stylus C59 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.EXE" [2006-02-22 131072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2006-07-27 282624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-9-22 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
R2 DMagent;Driver Trusted;c:\windows\system32\svchost.exe [2004-08-04 14336]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 149352]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-02-13 109616]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*Deregistered* - GarenaPEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
DMagent
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{14f90e04-18d8-11de-8ad4-001676d5a088}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20f7a624-f575-11dd-8a6f-001676d5a088}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4671551a-f3fb-11dd-8a6d-001676d5a088}]
\Shell\AutoRun\command - G:\bar311.exe %1
\Shell\Explore\command - G:\bar311.exe %1
\Shell\Open\command - G:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a6c6c52-0aaa-11de-8aa4-001676d5a088}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d39c6b8-0e8b-11de-8aae-001676d5a088}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\bar311.exe %1
\Shell\Open\command - F:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{976b1fed-17ca-11de-8ad2-001676d5a088}]
\Shell\AutoRun\command - F:\bar311.exe %1
\Shell\Explore\command - F:\
\Shell\Open\command - F:\
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee74b3ba-0c06-11de-8aab-001676d5a088}]
\Shell\1\Command - G:\Recycle.exe
\Shell\2\Command - G:\Recycle.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycle.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee74b3bb-0c06-11de-8aab-001676d5a088}]
\Shell\AutoRun\command - H:\bar311.exe %1
\Shell\Explore\command - H:\bar311.exe %1
\Shell\Open\command - H:\bar311.exe %1
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/mStart Page =
hxxp://www.yahoo.com/mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jack\Application Data\Mozilla\Firefox\Profiles\945wbpqm.default\
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-04-14 11:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMagent]
"ServiceDll"="c:\windows\system32\dqifco.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(260)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 18:52
Pre-Run: 40,594,653,184 bytes free
Post-Run: 40,624,701,440 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
227