ComboFix 09-04-04.01 - -Bajt 2009-04-10 17:56:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2585 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\1ogf.exe
C:\autorun.inf.vir
c:\windows\system32\drivers\qkhjpn.sys
c:\windows\system32\olhrwef.exe.vir
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\1ogf.exe
C:\autorun.inf.vir
c:\windows\system32\olhrwef.exe.vir
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.
2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 17:54 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-09 23:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
+ 2009-04-10 15:58:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\sw20.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ABP470N5
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5166c978-25ce-11de-91c9-0013d311484b}]
\Shell\AutOPlAy\CommanD - N:\wjtexs.exe
\Shell\AutoRun\command - N:\wjtexs.exe
\Shell\expLore\COmMand - N:\wjtexs.exe
\Shell\OpEN\COmmand - N:\wjtexs.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-04-10 17:58:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-04-10 18:00:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 16:00:02
ComboFix2.txt 2009-04-10 10:04:03
Pre-Run: 40,166,346,752 bytes free
Post-Run: 40,059,277,312 bytes free
171