ComboFix 09-04-17.01 - USER 04/17/2009 23:27.1 -
FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1256.966.1033.18.191.74 [GMT 3:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\USER\Application Data\tazebama
c:\documents and settings\USER\Application Data\tazebama\tazebama.log
c:\windows\admintxt.txt
c:\windows\IE4 Error Log.txt
c:\windows\system32\setting.ini
c:\windows\Temp\scsE.tmp
c:\windows\Temp\scsF.tmp
.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.
2009-04-16 19:49 . 2009-04-16 19:49 -------- d-----w C:\كومبوكس
2009-04-16 11:49 . 2009-04-16 11:49 -------- d-sh--w C:\FOUND.047
2009-04-11 13:18 . 2009-04-11 13:18 -------- d-----w c:\documents and settings\USER\Application Data\Malwarebytes
2009-04-11 13:18 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 13:18 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 13:18 . 2009-04-11 13:18 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 16:38 . 2009-04-09 16:38 -------- d-----w c:\windows\BDOSCAN8
2009-04-08 22:00 . 2009-04-16 19:59 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-08 22:00 . 2009-04-16 19:59 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-08 22:00 . 2008-07-08 11:54 148496 ----a-w c:\windows\system32\drivers\45901112.sys
2009-03-19 14:21 . 2009-03-19 14:21 -------- d-----w c:\documents and settings\USER\Application Data\MiniDm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 13:18 . 2009-04-11 13:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-21 14:18 . 2002-12-31 12:00 986112 ----a-w c:\windows\system32\dllcache\kernel32.dll
2009-03-14 05:03 . 2009-03-14 05:03 -------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-03-10 10:05 . 2009-03-10 10:05 -------- d-----w c:\program files\4 cool
2009-03-10 10:03 . 2009-03-10 10:03 -------- d-----w c:\program files\Circle Developement
2009-03-10 10:03 . 2009-03-10 10:02 -------- d-----w c:\program files\Messenger Plus! Live
2009-03-06 14:44 . 2002-12-31 09:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-06 14:44 . 2002-12-31 09:00 283648 ----a-w c:\windows\system32\dllcache\pdh.dll
2009-03-02 23:52 . 2002-12-31 12:00 1495552 ----a-w c:\windows\system32\dllcache\shdocvw.dll
2009-02-19 09:58 . 2006-07-13 19:44 18432 ----a-w c:\windows\system32\dllcache\iedw.exe
2009-02-09 10:20 . 2006-07-13 19:43 473088 ----a-w c:\windows\system32\dllcache\fastprox.dll
2009-02-09 10:20 . 2002-12-31 12:00 723456 ----a-w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:20 . 2002-12-31 12:00 714752 ----a-w c:\windows\system32\dllcache\ntdll.dll
2009-02-09 10:20 . 2002-12-31 12:00 616960 ----a-w c:\windows\system32\dllcache\advapi32.dll
2009-02-09 10:20 . 2002-12-31 12:00 399360 ----a-w c:\windows\system32\dllcache\rpcss.dll
2009-02-09 10:20 . 2002-12-31 09:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-12-31 09:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-12-31 09:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2002-12-31 09:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2006-07-13 19:43 453120 ----a-w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2002-12-31 12:00 1846272 ----a-w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2002-12-31 09:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2008-05-26 18:09 2180480 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 17:22 . 2008-05-26 18:09 2136064 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 17:22 . 2002-12-31 09:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-12-31 12:00 110592 ----a-w c:\windows\system32\dllcache\services.exe
2009-02-06 17:14 . 2002-12-31 09:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-12-31 09:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:54 . 2002-12-31 09:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 16:49 . 2008-05-26 18:09 2015744 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 16:49 . 2008-05-26 18:09 2057728 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 16:49 . 2004-08-03 19:59 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 16:39 . 2006-07-13 19:43 227840 ----a-w c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 20:08 . 2002-12-31 12:00 55808 ----a-w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2002-12-31 09:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-11 09:50 . 2006-07-13 19:56 95216 ----a-w c:\documents and settings\USER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-04-04 1883672]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2009-04-04 09:01 1883672 ----a-w c:\program files\Hotspot_Shield\tbHot0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-07 19:02 204248 ----a-w c:\program files\Hotspot Shield\hssie\HssIE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-04-04 1883672]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C95A4E8E-816D-4655-8C79-D736DA1ADB6D}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-04-04 1883672]
[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"VTBPanel"="c:\program files\Virtual Teacher Screensaver\VTBackgroundPanel.exe" [2006-12-17 193024]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-29 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2004-10-11 589824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2008-05-02 151552]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"msnappau"="c:\program files\MSN Apps\Updater\
01.02.3000.1001\ar-xa\msnappau.exe" [2004-08-13 14:41 86016]
"EPSON Stylus C45 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-14 99840]
"EPSON Stylus C45 Series (نسخ 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-14 99840]
"PowerDVD"="c:\program files\CyberLink\PowerDVD\PowerDVD.exe" [2008-05-01 499712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-26 185896]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-09 29744]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-05-27 49152]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2004-06-07 143360]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2008-8-29 11704832]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R3 autorun;autorun;C:\huadio.tmp [2006-07-13 5789]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-09 29744]
R3 SetupNTGLM7X;SetupNTGLM7X; [x]
S1 is-ARR5Pdrv;is-ARR5Pdrv;c:\windows\system32\DRIVERS\45901112.sys [2008-07-08 148496]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]
S2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [2009-02-05 117208]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2008-12-04 226640]
S3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\DRIVERS\HssDrv.sys [2009-02-05 31704]
--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - fssfltr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HotspotShieldService
*Deregistered* - HssDrv
*Deregistered* - HssSrv
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - is-ARR5Pdrv
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McDetect.exe
*Deregistered* - McShield
*Deregistered* - McTskshd.exe
*Deregistered* - MDM
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NaiAvFilter1
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Null
*Deregistered* - NWCWorkstation
*Deregistered* - NwlnkIpx
*Deregistered* - NwlnkNb
*Deregistered* - NwlnkSpx
*Deregistered* - NWRDR
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - SeaPort
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SetupNT
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - tapvpn
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c05afd7a-4db3-11dd-8472-00115bf48022}]
\Shell\AutoRun\command - F:\6x8be16.cmd
\Shell\explore\Command - F:\6x8be16.cmd
\Shell\open\Command - F:\6x8be16.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdec3d96-1195-11dd-83e2-00115bf48022}]
\Shell\AutoRun\command - F:\zPharaoh.exe
\Shell\explore\command - F:\zPharaoh.exe
\Shell\open\command - F:\zPharaoh.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-DownloadJoy - c:\docume~1\USER\APPLIC~1\4COOL~1\Bib Dupe Book.exe
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.sa/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll
TCP: {F9047C01-48B7-4BC6-AD1A-D4B08E296BE3} = 10.9.144.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\93ovd7b1.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-04-18 11:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\C:\huadio.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2720)
c:\progra~1\mcafee.com\vso\McVSSkt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\MCAFEE.COM\AGENT\MCDETECT.EXE
c:\program files\MCAFEE.COM\VSO\MCSHIELD.EXE
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\progra~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-18 12:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 09:09
Pre-Run: 7,474,397,184 bytes free
Post-Run: 9,674,866,688 bytes free
318 --- E O F --- 2009-04-16 11:25
.png)
.png)
