ComboFix Log
ComboFix 11-07-09.02 - DucMeLaVang1 07/09/2011 13:04:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1113 [GMT -5:00]
Running from: c:\documents and settings\DucMeLaVang1\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\DucMeLaVang1\WINDOWS
c:\documents and settings\Guest\Application Data\AdVantage
c:\documents and settings\Guest\Application Data\advantage\AdVantage.exe
c:\windows\system32\$winnt$.inf
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\1509816429
c:\windows\system32\1509816429\frt0.rar
c:\windows\system32\1509816429\frt0.rar.ver
c:\windows\system32\1509816429\frt1.rar
c:\windows\system32\1509816429\frt1.rar.ver
c:\windows\system32\1509816429\frt2.rar
c:\windows\system32\1509816429\frt2.rar.ver
c:\windows\system32\1509816429\frt3.rar
c:\windows\system32\1509816429\frt3.rar.ver
c:\windows\system32\1509816429\frt4.rar
c:\windows\system32\1509816429\frt4.rar.ver
c:\windows\system32\1509816429\frt5.rar
c:\windows\system32\1509816429\frt5.rar.ver
c:\windows\system32\1509816429\frt6.rar
c:\windows\system32\1509816429\frt6.rar.ver
c:\windows\system32\1509816429\frt7.rar
c:\windows\system32\1509816429\frt7.rar.ver
c:\windows\system32\1592885943
c:\windows\system32\448120563
c:\windows\system32\448120563\new.i0.kwd
c:\windows\system32\448120563\new.i1.kwd
c:\windows\system32\448120563\new.i10.kwd
c:\windows\system32\448120563\new.i11.kwd
c:\windows\system32\448120563\new.i12.kwd
c:\windows\system32\448120563\new.i13.kwd
c:\windows\system32\448120563\new.i14.kwd
c:\windows\system32\448120563\new.i15.kwd
c:\windows\system32\448120563\new.i2.kwd
c:\windows\system32\448120563\new.i3.kwd
c:\windows\system32\448120563\new.i4.kwd
c:\windows\system32\448120563\new.i5.kwd
c:\windows\system32\448120563\new.i6.kwd
c:\windows\system32\448120563\new.i7.kwd
c:\windows\system32\448120563\new.i8.kwd
c:\windows\system32\448120563\new.i9.kwd
c:\windows\system32\924857355
c:\windows\system32\924857355\frt0.rar
c:\windows\system32\924857355\frt0.rar.ver
c:\windows\system32\924857355\frt1.rar
c:\windows\system32\924857355\frt1.rar.ver
c:\windows\system32\924857355\frt10.rar
c:\windows\system32\924857355\frt10.rar.ver
c:\windows\system32\924857355\frt11.rar
c:\windows\system32\924857355\frt11.rar.ver
c:\windows\system32\924857355\frt12.rar
c:\windows\system32\924857355\frt12.rar.ver
c:\windows\system32\924857355\frt13.rar
c:\windows\system32\924857355\frt13.rar.ver
c:\windows\system32\924857355\frt14.rar
c:\windows\system32\924857355\frt14.rar.ver
c:\windows\system32\924857355\frt15.rar
c:\windows\system32\924857355\frt15.rar.ver
c:\windows\system32\924857355\frt2.rar
c:\windows\system32\924857355\frt2.rar.ver
c:\windows\system32\924857355\frt3.rar
c:\windows\system32\924857355\frt3.rar.ver
c:\windows\system32\924857355\frt4.rar
c:\windows\system32\924857355\frt4.rar.ver
c:\windows\system32\924857355\frt5.rar
c:\windows\system32\924857355\frt5.rar.ver
c:\windows\system32\924857355\frt6.rar
c:\windows\system32\924857355\frt6.rar.ver
c:\windows\system32\924857355\frt7.rar
c:\windows\system32\924857355\frt7.rar.ver
c:\windows\system32\924857355\frt8.rar
c:\windows\system32\924857355\frt8.rar.ver
c:\windows\system32\924857355\frt9.rar
c:\windows\system32\924857355\frt9.rar.ver
c:\windows\vb.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2011-07-06 00:12 . 2007-05-10 15:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2011-07-06 00:12 . 2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe
2011-07-06 00:12 . 2007-04-10 22:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2011-07-05 23:57 . 2011-07-05 23:57 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Help
2011-07-05 05:56 . 2011-07-05 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2011-07-05 02:05 . 2011-07-05 02:05 -------- d-----w- c:\windows\system32\NtmsData
2011-07-05 00:21 . 2011-07-05 00:21 145408 --sha-r- c:\windows\system32\msswchxf.dll
2011-06-25 16:52 . 2011-06-25 16:52 213504 ----a-w- c:\windows\system32\mtxparhd32.exe
2011-06-25 04:56 . 2011-06-25 04:56 -------- d-----w- c:\program files\Common Files\xing shared
2011-06-25 04:56 . 2011-06-25 04:56 -------- d-----w- c:\program files\Real
2011-06-24 23:56 . 2011-06-25 00:21 -------- d-----w- c:\program files\Object
2011-06-23 08:54 . 2011-06-23 08:54 213504 ----a-w- c:\windows\system32\mydocs32.exe
2011-06-23 05:07 . 2011-06-23 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-06-23 04:53 . 2011-06-23 04:53 0 ---ha-w- c:\documents and settings\DucMeLaVang1\nyqsdjspie.tmp
2011-06-23 04:52 . 2011-06-23 04:52 203776 --sh--w- c:\windows\system32\unrar.exe
2011-06-23 04:52 . 2011-07-05 05:50 -------- d-sh--w- c:\windows\system32\FE9BB8E90C5A2CB441A11D3379094FBF
2011-06-23 04:52 . 2011-06-23 04:52 -------- d-----w- c:\documents and settings\DucMeLaVang1\Application Data\Apple Computer
2011-06-23 04:52 . 2011-06-23 04:52 256512 ----a-w- c:\windows\system32\napipsec32.dll
2011-06-23 04:52 . 2011-06-23 04:52 1416192 ----a-w- c:\windows\system32\tcpmonui32.exe
2011-06-23 04:52 . 2011-06-23 04:52 213504 ----a-w- c:\windows\system32\napipsec32.exe
2011-06-23 04:48 . 2011-06-23 04:48 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Apple
2011-06-23 04:47 . 2011-06-23 04:47 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Apple Computer
2011-06-23 00:57 . 2011-06-23 05:15 -------- d-----w- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\OpenCandy
2011-06-22 03:59 . 2011-06-22 03:59 -------- d-----w- c:\documents and settings\Guest\Application Data\DivX
2011-06-20 06:09 . 2011-06-20 06:09 -------- d-----w- c:\program files\Common Files\Java
2011-06-20 06:09 . 2011-06-20 06:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-18 18:33 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-06-18 18:33 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-06-16 12:37 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-11 10:10 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\DucMeLaVang1\Application Data\MSNInstaller
2011-06-11 08:20 . 2011-06-11 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-25 04:56 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-25 04:56 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-06-20 06:09 . 2011-05-07 18:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 15:31 . 2008-09-15 19:10 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 10:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2004-08-04 10:00 389120 ----a-w- c:\windows\system32\html.iec
2011-04-25 06:12 . 2011-04-25 06:12 12920 ----a-w- c:\windows\system32\apl001.sys
2011-04-25 06:12 . 2011-04-25 06:12 10872 ----a-w- c:\windows\system32\apf001.sys
2011-04-21 13:37 . 2004-08-04 10:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-06-25 273544]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\napipsec32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58600:TCP"= 58600:TCP
ando Media Booster
"58600:UDP"= 58600:UDP
ando Media Booster
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/5/2011 3:27 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/5/2011 3:27 PM 22712]
S3 apf001;apf001;c:\windows\system32\apf001.sys [4/25/2011 1:12 AM 10872]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/5/2011 3:27 PM 39984]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IDSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005Core.job
- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1958367476-682003330-1005UA.job
- c:\documents and settings\DucMeLaVang1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-17 00:26]
.
2011-07-09 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1958367476-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z059&partner_id=308&product_id=435&affiliate_id=&channel=rjacs&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110624&user_guid=B9D274B9D81A47C198479BA86D91E41D&machine_id=54a235e916238eafc680cafc65332329&browser=IE&os=win&os_version=5.1-x86-SP3
mStart Page = hxxp://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{021B3F33-F1B7-438F-BB69-284DD7D2080b} - c:\windows\system32\atipdlxx32.dll
BHO-{ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\Vuze_Remote\prxtbVuze.dll
Toolbar-{ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\Vuze_Remote\prxtbVuze.dll
HKCU-Run-limewire plus+ - c:\program files\Limewire Plus+\limewire.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-07-09 13:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\05\04\0c\10\08\06?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-07-09 13:11:25
ComboFix-quarantined-files.txt 2011-07-09 18:11
.
Pre-Run: 96,801,333,248 bytes free
Post-Run: 101,304,414,208 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 79189BF18551F70F1BDF670813701D26