Webuser Forums: Trojans

hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:48:10, on 19/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\david\Program Files\DNA\btdna.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\david\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jre/...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfs.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8444 bytes
combofix log

ComboFix 08-04-18.3 - david 2008-04-19 17:20:20.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1336 [GMT 1:00]
Running from: C:\Users\david\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 13:34 . 2008-04-19 13:59 <DIR> d-------- C:\ProgramData\Driving Test Success
2008-04-19 13:34 . 2008-04-19 13:34 <DIR> d-------- C:\Program Files\Driving Test Success - All Tests (2007-2008)
2008-04-19 09:47 . 2008-04-19 09:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 14:19 . 2008-04-17 14:19 0 --a------ C:\Windows\Irremote.ini
2008-04-16 19:11 . 2008-04-16 19:11 <DIR> d-------- C:\Program Files\TVAnts
2008-04-16 19:02 . 2008-04-16 19:02 <DIR> d-------- C:\Users\david\AppData\Roaming\TVU Networks
2008-04-16 19:02 . 2008-04-16 19:02 <DIR> d-------- C:\ProgramData\TVU Networks
2008-04-16 19:02 . 2008-04-16 19:02 <DIR> d-------- C:\Program Files\TVUPlayer
2008-04-16 18:24 . 2008-04-16 18:25 <DIR> d-------- C:\Program Files\SopCast
2008-04-16 15:37 . 2008-04-16 15:37 42 --a------ C:\Windows\System32\RegistryGenius.lie
2008-04-16 15:31 . 2008-04-18 15:53 <DIR> d-------- C:\Program Files\Registry Genius
2008-04-16 14:05 . 2008-04-16 15:39 <DIR> d-------- C:\Program Files\Netcom3 Cleaner
2008-04-14 16:55 . 2008-04-14 16:56 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-12 21:57 . 2008-04-12 22:19 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-12 21:57 . 2008-04-12 21:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-12 20:38 . 2008-04-19 16:35 <DIR> d-------- C:\ProgramData\Google Updater
2008-04-12 20:38 . 2008-04-12 20:38 <DIR> d-------- C:\Program Files\Google
2008-04-12 20:27 . 2008-04-12 21:21 <DIR> d-a------ C:\ProgramData\TEMP
2008-04-11 12:05 . 2008-04-11 12:05 <DIR> d-------- C:\Users\david\AppData\Roaming\Nero
2008-04-11 12:01 . 2008-04-17 14:21 <DIR> d-------- C:\ProgramData\Nero
2008-04-11 12:01 . 2008-04-11 12:01 <DIR> d-------- C:\Program Files\Nero
2008-04-11 12:01 . 2008-04-17 14:21 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-10 20:24 . 2008-04-10 20:24 <DIR> d-------- C:\Users\david\AppData\Roaming\CyberLink
2008-04-09 22:16 . 2008-04-09 22:16 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 22:16 . 2008-04-09 22:16 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 22:16 . 2008-04-09 22:16 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 22:16 . 2008-04-09 22:16 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 22:16 . 2008-04-09 22:16 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 22:16 . 2008-04-09 22:16 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 22:16 . 2008-04-09 22:16 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 22:16 . 2008-04-09 22:16 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 22:16 . 2008-04-09 22:16 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 22:15 . 2008-04-09 22:15 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 22:15 . 2008-04-09 22:15 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 22:13 . 2008-04-09 22:13 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 22:13 . 2008-04-09 22:13 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-06 12:27 . 2008-04-14 16:42 186,837,340 --a------ C:\Windows\MEMORY.DMP
2008-04-05 23:57 . 2008-04-14 18:20 <DIR> d-------- C:\Users\david\Contacts
2008-04-03 12:16 . 2008-04-03 12:17 <DIR> d-------- C:\Program Files\Safari
2008-04-03 12:15 . 2008-04-03 12:15 <DIR> d-------- C:\Program Files\iTunes
2008-04-03 12:15 . 2008-04-03 12:15 <DIR> d-------- C:\Program Files\iPod
2008-04-03 12:15 . 2008-04-03 12:15 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-03 12:15 . 2008-04-03 12:15 1,409 --a------ C:\Windows\QTFont.for
2008-04-03 12:13 . 2008-04-03 12:13 <DIR> d-------- C:\Program Files\QuickTime
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-03-25 16:18 . 2008-03-25 16:18 <DIR> d-------- C:\ProgramData\Webroot
2008-03-24 22:35 . 2008-03-24 22:35 <DIR> d-------- C:\Users\david\AppData\Roaming\Webroot
2008-03-24 22:35 . 2008-03-24 22:35 <DIR> d-------- C:\Program Files\Webroot
2008-03-24 22:35 . 2008-03-25 16:18 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2008-03-24 22:35 . 2007-11-26 15:47 194,888 --a------ C:\Windows\Unwash6.exe
2008-03-22 01:49 . 2008-03-22 01:49 <DIR> d-------- C:\Users\david\AppData\Roaming\Yahoo!
2008-03-22 01:49 . 2008-03-22 01:49 <DIR> d-------- C:\ProgramData\Yahoo!
2008-03-22 01:48 . 2008-03-24 13:55 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-21 13:51 . 2008-03-21 13:51 <DIR> d-------- C:\Users\david\Program Files
2008-03-21 13:47 . 2008-03-21 13:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-21 13:45 . 2008-04-19 17:21 <DIR> d-------- C:\Users\david\AppData\Roaming\DNA
2008-03-21 13:45 . 2008-04-16 18:14 <DIR> d-------- C:\Users\david\AppData\Roaming\BitTorrent
2008-03-21 13:45 . 2008-03-21 13:45 <DIR> d-------- C:\Program Files\DNA
2008-03-21 13:45 . 2008-03-21 13:45 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-21 13:23 . 2008-03-21 13:23 <DIR> d-------- C:\Users\david\AppData\Roaming\Samsung
2008-03-21 13:08 . 2006-05-03 23:53 174,592 --a------ C:\Windows\System32\framedyn.dll
2008-03-21 12:59 . 2007-05-02 12:12 109,704 --a------ C:\Windows\System32\drivers\ssm_mdm.sys
2008-03-21 12:59 . 2007-05-02 12:12 83,592 --a------ C:\Windows\System32\drivers\ssm_bus.sys
2008-03-21 12:59 . 2007-05-02 12:12 15,112 --a------ C:\Windows\System32\drivers\ssm_mdfl.sys
2008-03-21 12:59 . 2007-05-02 12:12 12,424 --a------ C:\Windows\System32\drivers\ssm_whnt.sys
2008-03-21 12:59 . 2007-05-02 12:12 12,424 --a------ C:\Windows\System32\drivers\ssm_wh.sys
2008-03-21 12:59 . 2007-05-02 12:12 12,424 --a------ C:\Windows\System32\drivers\ssm_cmnt.sys
2008-03-21 12:59 . 2007-05-02 12:12 12,424 --a------ C:\Windows\System32\drivers\ssm_cm.sys
2008-03-21 12:57 . 2008-03-21 13:04 <DIR> d-------- C:\Windows\System32\Samsung_USB_Drivers
2008-03-21 12:57 . 2006-07-24 17:05 5,632 --a------ C:\Windows\System32\drivers\StarOpen.sys
2008-03-21 12:57 . 2005-08-28 21:51 766 --a------ C:\Windows\System32\Uninstall.ico
2008-03-21 12:56 . 2008-03-21 12:56 <DIR> d-------- C:\Program Files\Samsung

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 19:24 --------- d-----w C:\ProgramData\CyberLink
2008-04-10 08:38 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 21:11 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-09 21:11 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-09 21:11 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-09 21:11 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-05 23:53 --------- d-----w C:\Users\david\AppData\Roaming\Apple Computer
2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-03-22 12:18 --------- d-----w C:\Program Files\Microsoft Games
2008-03-21 11:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 23:26 --------- d-----w C:\Program Files\Java
2008-03-14 23:23 --------- d-----w C:\Program Files\Common Files\Java
2008-03-14 22:50 --------- d-----w C:\ProgramData\Apple Computer
2008-03-14 22:49 --------- d-----w C:\Program Files\Bonjour
2008-03-14 22:48 --------- d-----w C:\Program Files\Apple Software Update
2008-03-14 22:47 --------- d-----w C:\ProgramData\Apple
2008-03-14 22:47 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-14 22:46 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-14 22:46 --------- d-----w C:\Program Files\Windows Live
2008-03-14 22:36 --------- d-----w C:\ProgramData\WLInstaller
2008-03-14 22:09 --------- d-----w C:\Program Files\Alwil Software
2008-03-14 21:29 174 --sha-w C:\Program Files\desktop.ini
2008-03-14 21:26 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-03-14 20:32 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2008-03-14 20:14 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-14 20:14 --------- d-----w C:\Program Files\Windows Calendar
2008-03-14 14:45 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-03-14 14:45 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-03-14 14:45 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-03-14 14:45 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-03-14 14:45 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-03-14 14:45 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-03-14 14:45 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-03-14 14:45 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-03-14 14:45 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-03-14 14:45 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-03-14 14:45 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-03-14 14:45 2,923,520 ----a-w C:\Windows\explorer.exe
2008-03-14 14:45 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-03-14 14:44 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-03-14 14:44 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-03-14 14:40 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-03-14 14:40 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-03-14 14:40 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-03-14 14:40 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-03-14 14:40 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-03-14 14:40 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-03-14 14:40 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-03-14 14:39 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-03-14 14:39 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-03-14 14:39 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-03-14 14:39 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-03-14 14:39 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-03-14 14:39 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-03-14 14:39 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-03-14 14:39 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-03-14 14:39 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-03-14 14:38 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-03-14 14:38 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-03-14 14:38 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-03-14 14:38 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-03-14 14:38 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-03-14 14:38 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-03-14 14:38 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-03-14 14:38 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-03-14 14:38 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-03-14 14:38 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-03-14 14:37 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2008-03-14 14:37 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-03-14 14:37 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-03-14 14:37 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-03-14 14:37 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-03-14 14:37 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-03-14 14:37 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-03-14 14:35 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-03-14 14:35 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-03-14 14:35 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-14 14:35 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-14 14:35 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-14 14:35 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-03-14 14:35 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-14 14:35 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-14 14:35 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-03-14 14:35 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-14 14:34 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-03-14 14:34 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-03-14 14:34 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2008-03-14 14:34 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-03-14 14:34 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-03-14 14:33 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-03-14 14:33 5,120 ----a-w C:\Windows\System32\wmi.dll
2008-03-14 14:33 152,576 ----a-w C:\Windows\System32\imagehlp.dll
2008-03-14 14:33 12,800 ----a-w C:\Windows\system32\drivers\fs_rec.sys
2008-03-14 14:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-03-14 14:30 750,080 ----a-w C:\Windows\System32\qmgr.dll
2008-03-14 14:30 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-03-14 14:17 --------- d-----w C:\ProgramData\Citrix
2008-03-14 14:16 61,480 ----a-w C:\Users\david\GoToAssistDownloadHelper.exe
2008-03-14 14:03 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-03-14 14:03 549,720 ----a-w C:\Windows\System32\wuapi.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_11.27.21.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 10:22:53 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-19 16:11:14 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-19 14:34:39 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-19 14:34:39 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-19 10:24:09 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-19 15:49:48 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-19 10:24:02 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-19 14:36:52 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-19 14:36:52 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-04-19 10:24:23 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-19 16:20:25 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-19 10:24:02 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-19 14:36:47 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-19 14:36:47 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-19 10:23:16 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-19 16:12:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-19 10:23:16 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-19 16:12:04 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-19 10:23:16 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-19 16:12:04 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-19 10:19:34 108,526 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-19 14:39:47 108,526 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-19 10:19:34 623,342 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-19 14:39:47 623,342 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-19 10:15:57 5,450 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-957558273-2314692783-768662671-1000_UserData.bin
+ 2008-04-19 14:37:12 5,870 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-957558273-2314692783-768662671-1000_UserData.bin
- 2008-04-19 10:15:57 59,304 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-19 14:37:12 59,492 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-19 10:15:55 39,156 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-19 14:37:10 39,164 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-04-18 18:48:45 190,708 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-04-19 16:11:15 190,908 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-14 15:35 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 13:34 2159104 C:\Windows\System32\oobefldr.dll]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 20:38 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 18:43 4670704]
"BitTorrent DNA"="C:\Users\david\Program Files\DNA\btdna.exe" [2008-04-11 11:43 288576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-05-21 08:48 1006264]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-11-06 09:02 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-11-06 09:05 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-11-06 09:02 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 13:50 815104]
"Keyboard Manager Utility"="C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2007-01-11 19:54 1359872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E81A1FEF-79AF-4494-B522-0F393ACFEC6C}"= UDP:C:\Program Files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{0241C88F-69C8-48EF-A3EA-FA38B5B264ED}"= TCP:C:\Program Files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{7834F3B8-0940-4A5C-B1F6-57D0A666401C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1715DB44-687A-4D84-BD5F-30AA74CA6AFD}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{F7D39764-1787-4E85-A0E0-5CCB7E000A02}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{7F115700-B552-43FC-A448-05AD3E28FC9A}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{AC6495BC-0D00-4BE1-8002-F532D2AF0ECF}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{1B46E425-6AC7-455B-936D-FC6BE7DB6ECE}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{E355F93B-E5EF-42AB-A96E-939D237EE175}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{5A884747-CBFA-4ECC-B9E4-1C62802AA740}C:\\users\\david\\program files\\dna\\btdna.exe"= UDP:C:\users\david\program files\dna\btdna.exe:btdna.exe
"UDP Query User{A4636E20-9F75-44FE-AF5C-FEC9E061D1AF}C:\\users\\david\\program files\\dna\\btdna.exe"= TCP:C:\users\david\program files\dna\btdna.exe:btdna.exe
"{53BBDB63-E709-480F-89C1-AE03CDCA89F9}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C3423185-9674-4C75-A63D-A640C5BC139B}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8B14A510-29A8-4452-A67D-9650DE93D0D9}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A2CB6DD4-0C11-4521-B796-9454A4D08DC8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{EB25FCB7-CBD2-4F76-A07A-F8E1E2B38AEB}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{54E5FF21-E1BA-4A11-873D-186B82D985D7}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{CD4B4A1A-DEAC-4464-BBFB-2C1F5623FBD7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{C84AA565-F79A-4F21-A8A4-B4F0EBEA8B16}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{3033B7B2-412E-4206-8BF6-85E7E6A84143}C:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{A7EAFEBD-DF8A-428B-B1B6-018E00DF579F}C:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{85523755-924E-45CE-AE62-E691318B3711}C:\\program files\\sopcast\\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{95DA28CC-DC4A-4F17-B70B-33D996A8B51A}C:\\program files\\sopcast\\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{8B262F32-5DF9-4BB0-A443-74621147A832}C:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"UDP Query User{B7FF59AA-91C1-4E5A-ACFF-4A3D0F4C44C7}C:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:C:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"TCP Query User{8D244379-DC5E-4EEA-9D70-84379825EEB1}C:\\program files\\tvants\\tvants.exe"= UDP:C:\program files\tvants\tvants.exe:TVAnts
"UDP Query User{859DC7BF-23B1-4944-BB99-DE9834E646AE}C:\\program files\\tvants\\tvants.exe"= TCP:C:\program files\tvants\tvants.exe:TVAnts

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 18:32]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 15:47]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 16:39]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-11-06 10:29]
R3 qkbfiltr;Quanta Keyboard Filter Driver;C:\Windows\system32\DRIVERS\qkbfiltr.sys [2006-08-17 15:32]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 08:30]
S3 Netcom3;NetCom3 Service;C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe []
S3 wrssweep;Webroots Volume Access Driver;C:\Program Files\Webroot\Washer\wrssweep.sys [2007-11-26 15:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c59ee8f-f1bc-11dc-b561-806e6f6e6963}]
\shell\AutoRun\command - E:\RunMe.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 17:21:44
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 17:22:30
ComboFix-quarantined-files.txt 2008-04-19 16:22:21
ComboFix2.txt 2008-04-19 10:28:04

Pre-Run: 91,557,769,216 bytes free
Post-Run: 91,530,203,136 bytes free

315 --- E O F --- 2008-04-18 11:00:22

Post Extras