Thread: Hope this will be an easy one
View Single Post
Old 12-03-2008, 11:12 PM   #7 (permalink)
Devon Millar
Member
 
Join Date: Dec 2008
Posts: 5
Points: 0
Thumbs up
Here it is:

ComboFix 08-12-02.02 - Noxious Rain 2008-12-03 23:05:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.940 [GMT -5:00]
Running from: c:\documents and settings\Noxious Rain\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Noxious Rain\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\utimebopevube.dll
C:\yjvmtaa.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\utimebopevube.dll
C:\yjvmtaa.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 23:04 . 2008-12-03 23:08 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.BAK
2008-12-03 22:24 . 2008-12-03 23:08 <DIR> d-------- c:\program files\Steam
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Malwarebytes
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 18:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 18:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 08:06 . 2008-12-03 08:08 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\SolidWorks
2008-12-03 00:01 . 2008-12-03 18:52 <DIR> d-------- c:\program files\SpywareGuard
2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 23:48 . 2008-12-02 23:48 <DIR> d-------- c:\program files\Java
2008-12-02 23:48 . 2008-12-02 23:48 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-02 23:48 . 2008-12-02 23:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 23:39 . 2008-12-02 23:39 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 19:21 . 2008-12-02 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-02 18:19 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Bonjour
2008-12-02 18:10 . 2008-12-02 18:10 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-02 18:04 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-02 00:08 . 2008-12-02 00:08 <DIR> d-------- c:\program files\CCleaner
2008-12-02 00:06 . 2008-12-02 00:06 <DIR> d-------- c:\program files\AC3Filter
2008-12-02 00:06 . 2007-08-18 02:54 380,928 --a------ c:\windows\system32\ac3filter.acm
2008-12-02 00:05 . 2008-12-02 00:05 <DIR> d-------- c:\program files\XviD
2008-12-02 00:03 . 2008-12-02 00:03 <DIR> d-------- c:\program files\Illustrate
2008-12-02 00:03 . 2008-12-02 00:03 167,936 --a------ c:\windows\system32\SpoonUninstall.exe
2008-12-02 00:03 . 2008-12-02 00:03 27,958 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2008-12-02 00:03 . 2008-12-02 00:03 17,871 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2008-12-02 00:02 . 2008-12-03 23:07 <DIR> d-------- c:\program files\DNA
2008-12-02 00:02 . 2008-12-02 00:02 <DIR> d-------- c:\program files\BitTorrent
2008-12-02 00:02 . 2008-12-03 23:07 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DNA
2008-12-01 23:43 . 2008-12-01 23:43 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DWGeditor
2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\SolidWorks Installation Manager
2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\DWGeditor
2008-12-01 23:42 . 2008-12-01 23:42 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
2008-12-01 23:41 . 2004-11-05 11:08 670,208 --a------ c:\windows\system32\drivers\hardlock.sys
2008-12-01 23:41 . 2008-12-01 23:41 23 --ah----- c:\windows\yacht.xws
2008-12-01 23:40 . 2008-12-01 23:42 <DIR> d-------- c:\program files\Common Files\eDrawings2007
2008-12-01 23:38 . 2008-12-01 23:38 <DIR> d-------- c:\windows\system32\GroupPolicy
2008-12-01 23:37 . 2008-12-02 00:00 <DIR> d-------- c:\program files\SolidWorks
2008-12-01 23:37 . 2008-12-01 23:58 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
2008-12-01 23:37 . 2008-12-01 23:37 <DIR> d-------- c:\program files\Common Files\Solidworks Data
2008-12-01 23:36 . 2008-12-01 23:36 <DIR> d-------- c:\program files\Windows Desktop Search
2008-12-01 23:36 . 2005-12-05 07:38 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-01 23:35 . 2008-12-01 23:35 42 --a------ c:\windows\trailer.xws
2008-12-01 22:51 . 2008-12-01 22:52 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DivX
2008-12-01 22:45 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-12-01 22:30 . 2008-12-01 22:30 <DIR> d-------- c:\program files\DivX
2008-12-01 22:26 . 2008-12-01 22:26 <DIR> d-------- c:\program files\PowerISO
2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- c:\windows\nview
2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- C:\NVIDIA
2008-12-01 22:21 . 2008-05-16 11:48 446,464 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-01 22:21 . 2008-05-16 14:01 446,464 --a------ c:\windows\system32\nvudisp.exe
2008-12-01 22:21 . 2008-12-03 23:07 186,097 --a------ c:\windows\system32\nvapps.xml
2008-12-01 22:21 . 2008-12-03 23:06 30,120 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 23:06 30,120 --a------ c:\windows\system32\BMXState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 23:06 27,408 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 23:06 27,408 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-05-16 14:01 18,070 --a------ c:\windows\system32\nvdisp.nvu
2008-12-01 22:21 . 2008-12-03 23:06 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:19 . 2008-12-01 22:22 <DIR> d-------- c:\windows\system32\Defaults
2008-12-01 22:19 . 2008-12-01 22:19 <DIR> d-------- c:\program files\Creative
2008-12-01 22:19 . 2000-12-05 09:11 4,174,814 --------- c:\windows\system32\CT4MGM.SF2
2008-12-01 22:19 . 2008-12-03 23:08 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.CDF
2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a--c--- c:\windows\system32\dllcache\wdmaud.sys
2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a--c--- c:\windows\system32\dllcache\dmusic.sys
2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a------ c:\windows\system32\drivers\gameenum.sys
2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a--c--- c:\windows\system32\dllcache\gameenum.sys
2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a--c--- c:\windows\system32\dllcache\splitter.sys
2008-12-01 22:18 . 2008-12-01 22:18 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Creative
2008-12-01 22:17 . 2008-12-01 22:18 <DIR> d-------- c:\windows\system32\Data
2008-12-01 22:17 . 2008-12-03 19:32 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-01 22:17 . 2008-12-01 22:17 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-01 22:16 . 2008-12-01 22:16 <DIR> d-------- C:\ubuntu
2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\program files\Avira
2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-01 22:03 . 2008-12-01 22:03 0 --a------ c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 03:18 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-12-02 03:18 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2008-12-02 02:52 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 08:44 56,572 ----a-w c:\windows\system32\drivers\scdemu.sys
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-03_19.20.59.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-04 03:24:27 27,648 ----a-r c:\windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C91.exe
+ 2008-09-15 18:22:00 59,719 ----a-w c:\windows\LastGood.Tmp\system32\Macromed\Download\Install.exe
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
+ 2008-12-04 03:29:43 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-02 342336]
"Steam"="c:\program files\Steam\Steam.exe" [2008-12-03 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Noxious Rain\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [3/26/2006 10:44:08 PM 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Efahulo - c:\windows\utimebopevube.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 23:07:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-03 23:09:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 04:09:56
ComboFix2.txt 2008-12-04 00:21:38

Pre-Run: 84,745,641,984 bytes free
Post-Run: 84,838,404,096 bytes free

203
Devon Millar is offline   Reply With Quote