Trojan Horse

Dropkickmurphys

Dropkickmurphys

New Member
Hey guys, Im really annoyed at myself because of this...im usually so careful. But I have recently formatted my pc, I was trying to download CoD4 patches and I accidentally downloaded a trojan =/.

I have run both AVG Free 8 and Malwarebytes. Both in Normal and Safe mode. I hope I have gotten rid of it. but in case I havent can someone please check my Hijackthis log.

Thanks!
Dave.

Logfile of HijackThis v1.99.1
Scan saved at 20:12:06, on 19/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.forex-finance-trading.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.forex-finance-trading.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.forex-finance-trading.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forex-finance-trading.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)
 
Please post the logs from both programs, run an updated version of hijackthis (http://www.computerforum.com/131398-important-please-read-before-posting.html), and run JavaRa:

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
 
Downloaded new version. Ran JavaRa.

new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:05:37, on 19/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.forex-finance-trading.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.forex-finance-trading.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.forex-finance-trading.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forex-finance-trading.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6358 bytes


and logs for both programs? As in Malwarebytes and AVG? or ?
 
malwarebytes log:

Malwarebytes' Anti-Malware 1.37
Database version: 2287
Windows 5.1.2600 Service Pack 2

20/06/2009 11:01:56
mbam-log-2009-06-20 (11-01-53).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 167110
Time elapsed: 24 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
ComboFix 09-06-20.04 - Dave 21/06/2009 16:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3582.3060 [GMT 1:00]
Running from: c:\documents and settings\Dave\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\OPTIONS\CABS\_desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-20 21:01 . 2009-06-20 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
2009-06-20 13:12 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-06-20 12:06 . 2009-06-20 12:06 -------- d-----w- c:\documents and settings\Dave\Application Data\The Creative Assembly
2009-06-19 22:05 . 2009-06-19 22:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-19 22:05 . 2009-06-19 22:05 -------- d-----w- c:\program files\Java
2009-06-19 22:04 . 2009-06-19 22:04 -------- d-----w- c:\program files\Trend Micro
2009-06-19 19:01 . 2009-06-16 14:32 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-19 19:01 . 2009-06-16 14:32 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-19 19:01 . 2009-06-16 14:32 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-19 19:01 . 2009-06-16 14:32 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-19 19:01 . 2009-06-16 14:32 908568 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-06-19 19:01 . 2009-06-16 14:32 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-06-19 19:01 . 2009-06-16 14:32 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-16 14:46 . 2009-06-20 10:12 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-16 14:32 . 2009-06-16 14:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-16 14:32 . 2009-06-16 14:32 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-16 14:32 . 2009-06-16 14:32 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-16 14:32 . 2009-06-19 19:01 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:32 . 2009-06-21 08:43 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-16 14:32 . 2009-06-16 14:32 -------- d-----w- c:\program files\AVG
2009-06-16 14:32 . 2009-06-16 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-16 14:22 . 2009-06-16 14:22 -------- d-----w- c:\documents and settings\Dave\Application Data\Malwarebytes
2009-06-16 14:22 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-16 14:22 . 2009-06-16 14:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-16 14:22 . 2009-06-16 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-16 14:22 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 16:15 . 2009-06-14 16:15 -------- d-----w- c:\program files\uTorrent
2009-06-14 16:15 . 2009-06-15 08:56 -------- d-----w- c:\documents and settings\Dave\Application Data\uTorrent
2009-06-14 11:00 . 2009-06-14 11:00 -------- d-----w- C:\ProgramData
2009-06-14 11:00 . 2009-06-14 11:00 4378 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-14 11:00 . 2009-06-14 11:00 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Downloaded Installations
2009-06-14 10:45 . 2009-06-14 11:00 -------- d-----w- c:\program files\Electronic Arts
2009-06-14 10:32 . 2009-06-14 10:32 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\World in Conflict
2009-06-14 10:31 . 2009-06-14 10:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-14 10:31 . 2009-06-14 10:31 -------- d--h--r- c:\documents and settings\Dave\Application Data\SecuROM
2009-06-14 09:34 . 2009-06-16 14:57 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\PunkBuster
2009-06-14 09:34 . 2009-06-14 09:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2009-06-13 21:42 . 2009-06-13 21:42 -------- d-----w- c:\program files\EA Games
2009-06-13 21:35 . 2009-05-15 14:32 1283448 ----a-w- c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\434u3m0w.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-06-13 21:35 . 2009-05-15 14:32 729088 ----a-w- c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\434u3m0w.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-06-13 17:27 . 2009-06-13 17:27 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Identities
2009-06-13 17:20 . 2009-06-13 18:25 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-06-12 17:35 . 2009-06-12 17:35 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Adobe
2009-06-12 17:34 . 2009-06-12 17:34 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-11 16:30 . 2009-06-11 16:30 -------- d-----w- c:\program files\RivaTuner v2.24
2009-06-11 15:43 . 2009-06-11 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-06-11 15:42 . 2009-06-11 15:42 -------- d-----w- c:\program files\Logitech
2009-06-11 11:42 . 2009-06-14 11:46 -------- d-----w- c:\documents and settings\Dave\Application Data\DNA
2009-06-11 11:42 . 2009-06-14 10:21 -------- d-----w- c:\program files\DNA
2009-06-11 11:42 . 2009-06-11 11:42 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\DNA
2009-06-11 11:32 . 2009-06-11 11:32 -------- d-----w- c:\program files\Sierra Entertainment
2009-06-11 11:24 . 2009-06-11 11:27 -------- d-----w- c:\program files\TmUnitedForever
2009-06-11 09:42 . 2009-06-11 09:42 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Activision
2009-06-11 09:31 . 2009-06-11 09:31 -------- d-----w- c:\program files\CPUID
2009-06-11 09:31 . 2009-03-27 00:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2009-06-11 09:30 . 2009-06-11 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-06-10 19:13 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-10 19:13 . 2008-10-16 13:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-10 13:56 . 2009-06-21 13:50 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-10 13:56 . 2009-06-13 21:53 139152 ----a-w- c:\documents and settings\Dave\Application Data\PnkBstrK.sys
2009-06-10 13:55 . 2009-06-21 13:50 189640 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-10 13:55 . 2009-06-14 09:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-10 13:55 . 2009-06-13 21:53 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-10 13:55 . 2009-06-10 13:55 -------- d-----w- c:\windows\system32\LogFiles
2009-06-10 13:45 . 2009-06-11 11:12 -------- d-----w- c:\program files\Activision
2009-06-10 13:43 . 2009-06-10 13:43 -------- d-sh--w- c:\windows\ftpcache
2009-06-10 12:29 . 2009-06-10 12:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-06-10 10:58 . 2009-06-10 10:59 -------- d-----w- c:\program files\ATITool
2009-06-10 10:57 . 2009-06-20 20:32 -------- d-----w- c:\program files\SpeedFan
2009-06-10 10:55 . 2009-06-21 14:42 -------- d-----w- c:\documents and settings\Dave\Tracing
2009-06-10 10:54 . 2009-06-10 10:54 -------- d-----w- c:\program files\Microsoft
2009-06-10 10:54 . 2009-06-10 10:54 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-10 10:54 . 2009-06-10 10:54 -------- d-----w- c:\program files\Windows Live
2009-06-10 10:51 . 2009-06-10 10:51 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-10 10:47 . 2009-06-10 10:47 -------- d-----w- c:\documents and settings\Dave\Contacts
2009-06-10 09:22 . 2009-06-10 09:22 0 ----a-w- c:\windows\nsreg.dat
2009-06-10 09:22 . 2009-06-10 09:22 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Mozilla
2009-06-10 09:17 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-06-10 09:17 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-06-10 09:17 . 2009-02-06 17:24 2180480 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-06-10 09:17 . 2009-02-06 17:22 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-06-10 09:17 . 2009-02-06 16:49 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-06-10 09:17 . 2009-02-06 16:49 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-06-10 09:17 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-09 22:31 . 2009-06-11 13:50 -------- d--h--w- c:\windows\$hf_mig$
2009-06-09 16:47 . 2009-06-09 16:47 -------- d-----w- c:\documents and settings\Dave\Application Data\teamspeak2
2009-06-09 16:38 . 2007-04-04 17:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-06-09 15:06 . 2009-06-20 21:33 -------- d-----w- C:\Warhammer Online - Age of Reckoning
2009-06-09 14:59 . 2004-08-03 22:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-06-09 14:38 . 2009-06-21 15:15 -------- d-----w- c:\program files\Steam
2009-06-09 14:36 . 2009-06-09 16:47 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-06-09 14:33 . 2009-06-21 14:59 -------- d-----w- c:\documents and settings\Dave\Application Data\Xfire
2009-06-09 14:33 . 2009-06-19 19:05 -------- d-----w- c:\program files\Xfire
2009-06-09 14:31 . 2009-06-10 10:03 -------- d-----w- c:\documents and settings\Dave\Application Data\Apple Computer
2009-06-09 14:31 . 2009-03-19 15:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-09 14:31 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-09 14:30 . 2009-06-09 14:30 -------- d-----w- c:\program files\iPod
2009-06-09 14:30 . 2009-06-09 14:31 -------- d-----w- c:\program files\iTunes
2009-06-09 14:30 . 2009-06-09 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-09 14:30 . 2009-06-09 14:30 -------- d-----w- c:\program files\Bonjour
2009-06-09 14:29 . 2009-06-09 14:30 -------- d-----w- c:\program files\QuickTime
2009-06-09 14:29 . 2009-06-09 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-09 14:29 . 2009-06-09 14:29 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Apple
2009-06-09 14:29 . 2009-06-09 14:29 -------- d-----w- c:\program files\Apple Software Update
2009-06-09 14:29 . 2009-06-05 10:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-09 14:29 . 2009-06-05 10:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-09 14:28 . 2009-06-09 14:30 -------- d-----w- c:\program files\Common Files\Apple
2009-06-09 14:28 . 2009-06-09 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-09 14:28 . 2009-06-09 14:31 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Apple Computer
2009-06-09 14:27 . 2009-06-10 10:55 12912 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 14:23 . 2009-06-09 14:23 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Logitech
2009-06-09 14:20 . 2009-06-09 14:20 -------- d-----w- c:\windows\system32\Lang
2009-06-09 14:16 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 11:00 . 2009-06-09 11:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-14 11:00 . 2009-06-09 11:46 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-09 14:17 . 2009-06-09 14:17 -------- d-----w- c:\program files\Realtek
2009-06-09 14:17 . 2009-06-09 14:17 -------- d-----w- c:\documents and settings\Dave\Application Data\InstallShield
2009-06-09 14:17 . 2009-06-09 14:17 315392 ----a-w- c:\windows\HideWin.exe
2009-06-09 14:16 . 2009-06-09 11:47 15600 ----a-w- c:\windows\gdrv.sys
2009-06-09 12:11 . 2009-06-09 11:38 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-09 11:48 . 2009-06-09 11:48 -------- d-----w- c:\program files\Intel
2009-06-09 11:46 . 2009-06-09 11:46 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-06-09 11:46 . 2009-06-09 11:46 -------- d-----w- c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster
2009-06-09 11:44 . 2009-06-09 11:44 -------- d-----w- c:\program files\AGEIA Technologies
2009-06-09 11:44 . 2009-06-09 11:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 11:38 . 2009-06-09 11:38 -------- d-----w- c:\program files\microsoft frontpage
2009-06-09 11:36 . 2009-06-09 11:36 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-05 12:57 . 2009-06-05 12:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-07 15:44 . 2004-08-04 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-04 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-05-04 354312]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-05-04 1572872]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-05-04 2817544]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-16 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-19 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-16 14:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\unpdave\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\TmUnitedForever\\TmForever.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/06/2009 15:32 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/06/2009 15:32 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [16/06/2009 15:32 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/06/2009 15:32 298776]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [11/06/2009 10:31 12672]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1965331169-839522115-1003.job
- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-09 11:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.forex-finance-trading.com/
uDefault_Search_URL = hxxp://www.forex-finance-trading.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 16:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-21 16:21
ComboFix-quarantined-files.txt 2009-06-21 15:21

Pre-Run: 108,906,700,800 bytes free
Post-Run: 109,073,154,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

239 --- E O F --- 2009-06-21 14:42
 
You must log in or register to reply here.
Back
Top