Malwarebytes' Anti-Malware 1.30
Database version: 1373
Windows 5.1.2600 Service Pack 2
11/7/2008 10:41:36 PM
mbam-log-2008-11-07 (22-41-36).txt
Scan type: Quick Scan
Objects scanned: 66441
Time elapsed: 10 minute(s), 32 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 28
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 39
Memory Processes Infected:
C:\Documents and Settings\Mac\Application Data\srcss.exe (Rogue.SpyProtector) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\jrowrgjf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqQgFVl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tuvUNghF.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cdcrpihc.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1eebf144-58e5-445a-aeec-93057287226e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvunghf (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1eebf144-58e5-445a-aeec-93057287226e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9444132e-f709-449e-b519-27ccb31c2073} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9444132e-f709-449e-b519-27ccb31c2073} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06722383-392a-4456-8bac-3d99463c38c9} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{06722383-392a-4456-8bac-3d99463c38c9} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1eebf144-58e5-445a-aeec-93057287226e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9444132e-f709-449e-b519-27ccb31c2073} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06722383-392a-4456-8bac-3d99463c38c9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shellex.tbho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{107a1d63-2eaa-4694-8aba-ec209c630d83} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cbe202a6-3b75-4189-b161-9b4df370bee9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cbe202a6-3b75-4189-b161-9b4df370bee9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{18e4cdd5-23e9-3c2b-9ea7-7a5d489f4356} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{78f8464d-a6f2-3f0d-a87f-a53a5f10d092} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{61181f3a-b7b4-3f2d-bc24-5dc5deab99c0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78f8464d-a6f2-3f0d-a87f-a53a5f10d092} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78f8464d-a6f2-3f0d-a87f-a53a5f10d092} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\srcss.exe (Rogue.SpyProtector) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\Spy Protector (Rogue.SpyProtector) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\Spy Protector (Rogue.SpyProtector) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SpyProtector (Rogue.SpyProtector) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1856b224 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1eebf144-58e5-445a-aeec-93057287226e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spy protector (Rogue.SpyProtector) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{107a1d63-2eaa-4694-8aba-ec209c630d83} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ssqqgfvl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqqgfvl -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\Mac\Application Data\spyprotector (Rogue.SpyProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Start Menu\Programs\spy protector (Rogue.SpyProtector) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\tuvUNghF.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqQgFVl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lVFgQqss.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lVFgQqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jrowrgjf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fjgrworj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cdcrpihc.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\Mac\Application Data\srcss.exe (Rogue.SpyProtector) -> Delete on reboot.
C:\Documents and Settings\Mac\Application Data\shellex.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mws59179.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\eoopuhcv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\eyjcgwes.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fccaATlI.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hmwwerhn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hqjhpske.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ljJCvUOi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\opnklKAr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRHbCtQ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ws59179.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\udgjuu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvUlllMg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kwegzk.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Mac\Local Settings\Temp\MediaCodec_install_7364.exe (Rogue.SpyProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Local Settings\Temp\MediaCodec_Part2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Local Settings\Temp\BIT33.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Local Settings\Temporary Internet Files\Content.IE5\4SXTAJIF\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Local Settings\Temporary Internet Files\Content.IE5\CXQAH777\23nq[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Local Settings\Temporary Internet Files\Content.IE5\G3U2GQ0I\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Local Settings\Temporary Internet Files\Content.IE5\T4091RTF\install[1].exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Local Settings\Temporary Internet Files\Content.IE5\V3A1S8W2\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Application Data\install.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Application Data\temp.dat (Trojan.Fakealert) -> Delete on reboot.
C:\Documents and Settings\Mac\Application Data\spyprotector\SC_Base_new.dat (Rogue.SpyProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Application Data\spyprotector\SC_Config.ini (Rogue.SpyProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Start Menu\Programs\spy protector\Purchase License.url (Rogue.SpyProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Start Menu\Programs\spy protector\Spy Protector.lnk (Rogue.SpyProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mac\Start Menu\Programs\spy protector\Support Page.url (Rogue.SpyProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\Setup_ver1.1497.0.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Mac\Desktop\Spy Protector.lnk (Rogue.SpyProtector) -> Quarantined and deleted successfully.
ComboFix 08-11-07.01 - Mac 2008-11-08 13:31:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2655 [GMT -8:00]
Running from: c:\documents and settings\Mac\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\lkcobdtr.ini
c:\windows\winhelp.ini
----- BITS: Possible infected sites -----
hxxp://www.lovelypornovideo.net
.
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.
2008-11-07 22:15 . 2008-11-07 22:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 22:15 . 2008-11-07 22:15 <DIR> d-------- c:\documents and settings\Mac\Application Data\Malwarebytes
2008-11-07 22:15 . 2008-11-07 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 22:15 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 22:15 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-28 08:37 . 2008-10-28 08:37 <DIR> d-------- c:\program files\Back2zip
2008-10-27 10:13 . 2008-11-07 22:12 <DIR> d-------- c:\program files\Full Tilt ** Game for big ones **
2008-10-24 23:38 . 2008-10-24 23:38 <DIR> d-------- c:\documents and settings\Mac\Application Data\TortoiseSVN
2008-10-24 20:16 . 2008-10-24 20:16 <DIR> d-------- c:\documents and settings\Mac\Application Data\Subversion
2008-10-24 09:55 . 2008-10-24 09:55 <DIR> d-------- c:\program files\TortoiseSVN
2008-10-24 09:55 . 2008-10-24 09:55 <DIR> d-------- c:\program files\Common Files\TortoiseOverlays
2008-10-23 23:49 . 2008-10-24 23:59 <DIR> d-------- c:\documents and settings\Mac\.idlerc
2008-10-23 23:48 . 2008-10-24 09:33 <DIR> d-------- C:\Python26
2008-10-18 18:39 . 2008-10-18 18:39 <DIR> d-------- c:\documents and settings\Mac\Application Data\Autodesk
2008-10-18 18:39 . 2008-10-18 18:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2008-10-18 16:19 . 2008-10-18 16:19 <DIR> d-------- c:\program files\SoulseekNS
2008-10-12 13:12 . 2008-10-12 13:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2008-10-12 13:04 . 2008-10-12 13:04 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-10-11 17:09 . 2008-10-11 17:09 <DIR> d-------- c:\windows\system32\Adobe
2008-10-11 17:09 . 2001-10-26 13:16 16,384 --a------ c:\windows\system32\FileOps.exe
2008-10-11 17:07 . 2008-10-11 17:07 <DIR> d-------- c:\windows\Adobe Illustrator CS
2008-10-08 23:25 . 2008-10-08 23:26 <DIR> d-------- c:\program files\iTunes
2008-10-08 23:25 . 2008-10-08 23:25 <DIR> d-------- c:\program files\iPod
2008-10-08 23:25 . 2008-10-08 23:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:24 --------- d-----w c:\documents and settings\Mac\Application Data\WTablet
2008-11-08 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-05 16:39 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2008-11-01 02:44 --------- d-----w c:\program files\World of Warcraft
2008-10-27 18:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-26 21:53 --------- d-----w c:\program files\Autodesk
2008-10-18 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-12 21:11 --------- d-----w c:\program files\Common Files\Adobe
2008-10-10 08:40 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2008-10-06 17:34 --------- d-----w c:\program files\Steam
2008-10-04 19:39 3,665,693 ----a-w c:\windows\system32\avbin.dll
2008-10-03 08:34 --------- d-----w c:\program files\Ubi Soft
2008-10-01 10:45 --------- d-----w c:\program files\Warcraft III
2008-09-27 02:45 --------- d-----w c:\program files\Alpha Networks
2008-09-27 02:44 --------- d-----w c:\program files\D-Link
2008-09-26 08:21 --------- d-----w c:\program files\Electronic Arts
2008-09-18 07:36 --------- d-----w c:\program files\QuickTime
2008-09-18 07:36 --------- d-----w c:\program files\Common Files\Apple
2008-09-18 07:01 --------- d-----w c:\program files\Bonjour
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-08-29 17:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 16:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-03-09 22:59 82 ----a-w c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2008-01-20 00:32 22,328 ----a-w c:\documents and settings\Mac\Application Data\PnkBstrK.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Google Update"="c:\documents and settings\Mac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7700480]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"D-Link Air Utility"="c:\program files\D-Link\Air Utility\AirCFG.exe" [2003-09-23 2494464]
"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-26 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-11-17 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-11-17 c:\windows\system32\nvmctray.dll]
c:\documents and settings\Mac\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-18 110592]
PowerReg Scheduler.exe [2008-10-03 256000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"SENTINEL"= snti386.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Steam\\steamapps\\whammybarr\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Steam\\steamapps\\whammybarr\\condition zero\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Warcraft 3
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\DRIVERS\PRISMNDS.sys [2003-09-19 652288]
R3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [2006-02-14 5632]
R3 wacomvhid;Wacom Virtual Hid Driver;c:\windows\system32\DRIVERS\wacomvhid.sys [2006-02-14 6144]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8417af73-7d04-11dd-b7eb-0016e68d647e}]
\Shell\AutoRun\command - WDSetup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Mac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 22:19]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Mac\Application Data\Mozilla\Firefox\Profiles\u0idy5cs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\documents and settings\Mac\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-08 13:37:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-08 13:46:12
ComboFix-quarantined-files.txt 2008-11-08 21:45:21
Pre-Run: 79,410,999,296 bytes free
Post-Run: 84,806,676,480 bytes free
214 --- E O F --- 2008-10-24 09:18:31
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:02 PM, on 11/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Mac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\sesinetd.exe
C:\WINDOWS\system32\hserver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/...b?1171778986531O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HoudiniLicenseServer - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: HoudiniServer - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6379 bytes