Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ComboFix 11-02-06.02 - HP_Administrator 02/07/2011 12:08:16.2.2 - x86
- Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1604 [GMT -5:00]
- Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
- AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
- .
- ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
- .
- Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
- Restored copy from - Kitty had a snack :p
- .
- ((((((((((((((((((((((((( Files Created from 2011-01-07 to 2011-02-07 )))))))))))))))))))))))))))))))
- .
- 2011-02-07 13:49 . 2011-01-08 03:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
- 2011-02-07 13:49 . 2011-01-08 03:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
- 2011-02-07 13:39 . 2011-02-07 13:39 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Temp
- 2011-02-07 04:32 . 2011-02-07 16:32 -------- d-----w- c:\program files\World of Warcraft
- 2011-02-04 02:44 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
- 2011-02-04 02:44 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
- .
- (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- 2011-01-08 12:03 . 2011-01-08 12:03 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
- 2011-01-08 03:27 . 2010-08-13 21:53 61440 ----a-w- c:\windows\system32\OpenCL.dll
- 2011-01-08 03:27 . 2010-08-13 21:53 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
- 2011-01-08 03:27 . 2009-08-06 14:50 4980736 ----a-w- c:\windows\system32\nvcuda.dll
- 2011-01-08 03:27 . 2009-08-06 14:50 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
- 2011-01-08 03:27 . 2009-08-06 14:50 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
- 2011-01-08 03:27 . 2009-08-06 14:50 1958400 ----a-w- c:\windows\system32\nvapi.dll
- 2011-01-08 03:27 . 2009-08-06 14:50 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
- 2011-01-08 03:27 . 2009-02-18 18:44 9888672 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
- 2011-01-08 03:27 . 2009-02-18 18:44 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
- 2011-01-08 00:56 . 2011-01-08 00:56 81920 ----a-w- c:\windows\system32\nvwddi.dll
- 2011-01-08 00:56 . 2011-01-08 00:56 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
- 2011-01-08 00:56 . 2011-01-08 00:56 277608 ----a-w- c:\windows\system32\nvmccs.dll
- 2011-01-08 00:56 . 2011-01-08 00:56 156776 ----a-w- c:\windows\system32\nvsvc32.exe
- 2011-01-08 00:56 . 2011-01-08 00:56 145000 ----a-w- c:\windows\system32\nvcolor.exe
- 2011-01-08 00:56 . 2011-01-08 00:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll
- 2011-01-08 00:56 . 2011-01-08 00:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
- 2011-01-04 02:57 . 2011-01-04 02:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
- 2011-01-04 02:57 . 2010-07-07 19:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
- 2011-01-01 23:57 . 2011-01-01 23:57 0 ----a-w- c:\windows\system32\drivers\sst3A3.tmp
- 2010-12-29 07:04 . 2010-10-17 18:24 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
- 2010-12-20 23:09 . 2009-04-30 20:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-12-20 23:08 . 2009-04-30 20:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
- 2010-11-23 04:00 . 2010-10-17 18:24 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
- 2010-11-18 18:12 . 2004-08-09 21:00 81920 ----a-w- c:\windows\system32\isign32.dll
- 2004-08-09 21:00 94784 -csh--w- c:\windows\twain.dll
- 2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
- 2004-07-30 07:04 1216 -csh--w- c:\windows\Twunk_16.dll
- 2004-07-30 07:04 1216 -csh--w- c:\windows\Twunk_32.dll
- 2010-09-18 06:53 974848 --sha-w- c:\windows\system32\mfc42.dll
- 2008-04-14 00:12 57344 --sha-w- c:\windows\system32\msvcirt.dll
- 2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
- 2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
- 2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
- .
- ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- .
- *Note* empty entries & legit default entries are not shown
- REGEDIT4
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
- "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
- "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
- c:\documents and settings\All Users\Start Menu\Programs\Startup\
- Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
- [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
- "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
- [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
- "DisableMonitoring"=dword:00000001
- [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
- "DisableMonitoring"=dword:00000001
- [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
- "DisableMonitoring"=dword:00000001
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
- "%windir%\\system32\\sessmgr.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
- "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
- "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
- "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
- "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
- "c:\\Program Files\\DISC\\DISCover.exe"=
- "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
- "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
- "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
- R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/17/2010 1:24 PM 135336]
- S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
- S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/9/2004 4:00 PM 14336]
- S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
- WINRM REG_MULTI_SZ WINRM
- .
- .
- ------- Supplementary Scan -------
- .
- uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
- uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
- uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
- mStart Page = hxxp://www.yahoo.com/
- mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
- uInternet Connection Wizard,ShellNext = iexplore
- uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
- IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
- IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
- IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
- IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
- IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
- Trusted Zone: trymedia.com
- FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qn66q4k4.default\
- FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
- FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
- FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
- FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
- FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
- FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
- FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
- .
- - - - - ORPHANS REMOVED - - - -
- AddRemove-World of Warcraft - c:\program files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
- **************************************************************************
- catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
- Rootkit scan 2011-02-07 12:13
- Windows 5.1.2600 Service Pack 3 NTFS
- scanning hidden processes ...
- scanning hidden autostart entries ...
- scanning hidden files ...
- scan completed successfully
- hidden files: 0
- **************************************************************************
- .
- --------------------- LOCKED REGISTRY KEYS ---------------------
- [HKEY_USERS\S-1-5-21-2008933920-3975109779-3429850926-1008\Software\Microsoft\SystemCertificates\AddressBook*]
- @Allowed: (Read) (RestrictedCode)
- @Allowed: (Read) (RestrictedCode)
- .
- --------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - - > 'winlogon.exe'(752)
- c:\windows\system32\WINSPOOL.DRV
- .
- Completion time: 2011-02-07 12:15:41
- ComboFix-quarantined-files.txt 2011-02-07 17:15
- ComboFix2.txt 2011-01-06 02:14
- Pre-Run: 195,643,830,272 bytes free
- Post-Run: 195,670,708,224 bytes free
- - - End Of File - - 0F0F32635A4397E72CDEFBD114ECF9AD
Add Comment
Please, Sign In to add comment