Thread: Windows Vista, AVG I-Worm/Nuwar.U
View Single Post
Join Date: Jul 2008
Posts: 7
Reputation: ajv717 is an unknown quantity at this point 
Solved Threads: 0
ajv717 ajv717 is offline Offline
Newbie Poster

Re: Windows Vista, AVG I-Worm/Nuwar.U

 
0
  #10
Jul 26th, 2008
ok here is the combofix log and htj log.

ComboFix 08-07-24.3 - AnthonynBre 2008-07-25 20:53:03.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1264 [GMT -7:00]
Running from: C:\Users\AnthonynBre\Desktop\ComboFix.exe
Command switches used :: C:\Users\AnthonynBre\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\ProgramData\hchefwvk
C:\ProgramData\hchefwvk\rutonsfy.exe
C:\Users\All Users\hchefwvk
C:\Users\All Users\hchefwvk\rutonsfy.exe
C:\Windows\System32\afkzcjwf.exe
C:\Windows\System32\uryxmnyd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\hchefwvk\rutonsfy.exe
C:\Users\All Users\hchefwvk\rutonsfy.exe
C:\Windows\System32\afkzcjwf.exe
C:\Windows\System32\uryxmnyd.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 18:55 . 2008-07-25 18:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-25 18:29 . 2008-07-25 18:29 <DIR> d-------- C:\Program Files\zupvbse
2008-07-25 18:29 . 2008-07-25 18:29 110,080 --a------ C:\Windows\System32\slazkxax.exe
2008-07-25 18:29 . 2008-07-25 18:29 102,400 --a------ C:\Windows\System32\spixgpsx.exe
2008-07-24 17:44 . 2008-07-24 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 17:43 . 2008-07-24 17:43 <DIR> d-------- C:\Deckard
2008-07-24 16:55 . 2008-07-24 17:32 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-07-24 14:34 . 2008-07-24 14:34 <DIR> d-------- C:\Program Files\fnbyyff
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-24 11:51 . 2008-07-24 11:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 11:51 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-24 11:51 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-24 11:21 . 2008-07-24 11:21 0 --ah----- C:\Windows\.security
2008-07-24 11:21 . 2008-07-24 11:21 0 --ah----- C:\.security
2008-07-24 09:54 . 2008-07-25 20:53 <DIR> d-------- C:\Users\All Users\hchefwvk
2008-07-24 09:54 . 2008-07-25 20:53 <DIR> d-------- C:\ProgramData\hchefwvk
2008-07-24 09:54 . 2008-07-24 09:54 <DIR> d-------- C:\Program Files\ouemijb
2008-07-24 09:54 . 2008-07-24 17:45 <DIR> dr-h----- C:\$VAULT$.AVG
2008-07-22 08:18 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-07-22 08:18 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-07-22 08:18 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-07-22 08:18 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-07-22 08:18 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-07-22 08:18 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-07-19 21:59 . 2008-07-19 21:59 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\iWin
2008-07-19 21:59 . 2008-07-19 22:02 <DIR> d-------- C:\My Games
2008-07-19 21:58 . 2008-07-19 22:03 <DIR> d-------- C:\Users\Public\RealArcade
2008-07-17 11:54 . 2008-07-17 11:54 <DIR> d-------- C:\Program Files\iTunes
2008-07-17 11:54 . 2008-07-17 11:54 <DIR> d-------- C:\Program Files\iPod
2008-07-17 11:53 . 2008-07-17 11:53 <DIR> d-------- C:\Program Files\QuickTime
2008-07-16 22:21 . 2008-07-16 22:21 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-07-15 09:52 . 2008-07-15 09:52 <DIR> d-------- C:\Windows\System32\AGEIA
2008-07-15 09:52 . 2008-07-22 07:11 <DIR> d-------- C:\Users\All Users\THQ
2008-07-15 09:52 . 2008-07-22 07:11 <DIR> d-------- C:\ProgramData\THQ
2008-07-15 09:52 . 2008-07-15 09:52 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-07-12 23:38 . 2008-07-12 23:41 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Ventrilo
2008-07-12 23:35 . 2008-07-12 23:35 <DIR> d-------- C:\Program Files\Ventrilo
2008-07-12 23:34 . 2008-07-15 09:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 11:23 . 2008-06-25 18:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-10 11:22 . 2008-06-25 18:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-10 11:22 . 2008-06-25 20:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-10 09:35 . 2008-07-10 09:35 32,000 --a------ C:\Windows\System32\drivers\usbaapl.sys
2008-07-09 22:02 . 2008-07-09 22:02 <DIR> d-------- C:\Users\AnthonynBre\AppData\Roaming\Thunderbird
2008-07-08 06:54 . 2008-07-08 06:54 <DIR> d-------- C:\Users\All Users\NexonUS
2008-07-08 06:54 . 2008-07-08 06:54 <DIR> d-------- C:\ProgramData\NexonUS
2008-07-01 06:41 . 2008-07-01 06:41 <DIR> d-------- C:\Program Files\Xvid
2008-07-01 06:41 . 2007-06-28 18:52 765,952 --a------ C:\Windows\System32\xvidcore.dll
2008-07-01 06:41 . 2007-06-28 18:54 180,224 --a------ C:\Windows\System32\xvidvfw.dll
2008-07-01 06:41 . 2007-06-28 18:55 77,824 --a------ C:\Windows\System32\xvid.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 01:57 --------- d-----w C:\Program Files\Java
2008-07-24 21:02 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\LimeWire
2008-07-24 17:44 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\AVG7
2008-07-22 15:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 14:14 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-22 14:14 --------- d-----w C:\Program Files\Microsoft Works
2008-07-15 16:42 --------- d-----w C:\Users\AnthonynBre\AppData\Roaming\IGN_DLM
2008-07-09 04:56 --------- d-----w C:\Program Files\Windows Mail
2008-06-24 14:33 --------- d-----w C:\Program Files\LimeWire
2008-05-31 01:30 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-05-31 01:29 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-05-10 03:35 885,248 ----a-w C:\Windows\System32\RacEngn.dll
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-05-08 21:59 90,112 ----a-w C:\Windows\System32\wshext.dll
2008-05-08 21:59 430,080 ----a-w C:\Windows\System32\vbscript.dll
2008-05-08 21:59 180,224 ----a-w C:\Windows\System32\scrobj.dll
2008-05-08 21:59 172,032 ----a-w C:\Windows\System32\scrrun.dll
2008-05-08 21:59 155,648 ----a-w C:\Windows\System32\wscript.exe
2008-05-08 21:58 135,168 ----a-w C:\Windows\System32\cscript.exe
2008-05-02 13:20 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-05-02 13:20 22,328 ----a-w C:\Users\AnthonynBre\AppData\Roaming\PnkBstrK.sys
2008-05-02 13:19 674,600 ----a-w C:\Windows\System32\pbsvc[1].exe
2008-05-01 00:27 442,368 ----a-w C:\Windows\System32\nvuninst.exe
2008-04-26 08:25 3,600,952 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-26 08:25 3,549,240 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-26 01:33 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-04-03 23:06 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-07-25_ 8.10.50.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-24 23:24:24 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-26 03:55:48 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-24 21:35:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-26 03:55:48 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-07-25 04:53:19 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-26 00:35:13 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-25 04:53:19 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-26 00:35:13 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-25 04:53:19 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-26 00:35:13 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-24 21:38:47 105,678 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-25 15:17:09 105,678 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-24 21:38:47 606,678 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-25 15:17:09 606,678 ----a-w C:\Windows\System32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 00:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57 1103480]
"apidschlp"="C:\Windows\system32\spixgpsx.exe" [2008-07-25 18:29 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMMediaSharing"="C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2007-06-21 18:33 204908]
"Acer Product Registration"="C:\Program Files\Acer Registration\ACE1.exe" [2007-10-15 13:43 3387392]
"Acer Assist Launcher"="C:\Program Files\Acer Assist\launcher.exe" [2007-02-02 11:05 1261568]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Airlink101 Airlink101 WLAN Monitor"="C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2007-06-18 14:30 1925120]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 09:45 579584]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 01:56 4493312 C:\Windows\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 02:17 55824 C:\Windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-12 22:45 219136]

C:\Users\AnthonynBre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
.security [2008-07-24 11:21:49 0]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
.security [2008-07-24 11:21:49 0]
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2007-09-13 20:38:32 535336]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-03 08:45:32 789008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AppProcSmart"= {4E800BDB-20B3-CCEF-1113-0308D0C0D147} - C:\Program Files\ouemijb\AppProcSmart.dll [2008-07-24 09:54 102400]
"DscSmartSrv"= {2C7E9ED3-A813-A590-2961-0B86E0202A4B} - C:\Program Files\fnbyyff\DscSmartSrv.dll [2008-07-24 14:34 114688]
"mondb"= {17B5CD4E-CD0D-5403-AF46-02F3B765F285} - C:\Program Files\zupvbse\mondb.dll [2008-07-25 18:29 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-04-12 22:45 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\ACERAR~1\ACERVI~1\Kernel\Burner\MKDMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{19E90D49-E626-40AC-8CC0-B24D5344399A}"= C:\Program Files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{96734FEA-FF44-4EF2-960F-6A020D237C80}"= C:\Program Files\Acer Arcade Live\Acer DV Magician\Acer DV Magician.exe:Acer DV Magician
"{DDA71D86-E87D-43B1-97D0-A0FF5CEDA9E7}"= C:\Program Files\Acer Arcade Live\Acer SlideShow DVD\Acer SlideShow DVD.exe:Acer SlideShow DVD
"{6EED23F9-336D-43A2-8477-17A2BB6F3F15}"= C:\Program Files\Acer Arcade Live\Acer DVDivine\Acer DVDivine.exe:Acer DVDivine
"{B18354C5-FBCC-49BE-9FA1-DCD4CA785D0B}"= C:\Program Files\Acer Arcade Live\Acer VideoMagician\Acer VideoMagician.exe:Acer VideoMagician
"{48C4529A-D0C4-4E7B-A6A5-ACA0E25F22CF}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia\Acer HomeMedia.exe:Acer HomeMedia
"{C3C0593F-EB72-431D-9221-A69405F1AAA9}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Acer HomeMedia Connect.exe:Acer HomeMedia Connect
"{5CA689BC-45A5-4953-A562-BB126BA0CF1A}"= C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:Acer HomeMedia Connect Service
"{A763F9C7-FEF8-4240-9922-695F00520191}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{AE9DA601-8295-48ED-A00B-00A00AC4EA2B}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{0F2E1FEB-608A-4E65-AEAA-7D24936441DC}"= UDP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{2D880C5D-1B8F-4FFD-A027-34BEA000254D}"= TCP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{B8204EC9-A8D9-46DA-A484-BE356121EF1C}"= UDP:C:\Windows\System32\PnkBstrB.exenkBstrB
"{DF4DF1CD-B867-42A6-B161-92726B89B083}"= TCP:C:\Windows\System32\PnkBstrB.exenkBstrB
"{1602EEA6-60D5-4300-963D-845747F9F977}"= UDP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{4C47DA61-2D30-48FA-A7B2-5AAF5A7628BB}"= TCP:C:\Program Files\World of Warcraft\Launcher.exe:World of Warcraft
"{8CAE97C4-3522-441D-A9C5-E68330C08403}"= UDP:C:\Program Files\World of Warcraft\Repair.exe:World of Warcraft - Repair
"{2946A31D-5EDB-429C-A718-284B95549D9F}"= TCP:C:\Program Files\World of Warcraft\Repair.exe:World of Warcraft - Repair
"{16DA6488-FF64-4EB7-8027-F8E10025DC8F}"= UDP:C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe:World of Warcraft - Uninstall
"{83D9BA62-0E05-4187-BB24-10C7E73C4F80}"= TCP:C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe:World of Warcraft - Uninstall
"TCP Query User{7223A80F-E4B2-437A-BCF1-1EAFC74E3A8D}C:\\program files\\airlink101\\mfp ps utility\\rmvusb.exe"= UDP:C:\program files\airlink101\mfp ps utility\rmvusb.exe:Airlink101 MFP PS Utility
"UDP Query User{00FAD257-EAD2-40BD-AB80-1BC362B5B9C8}C:\\program files\\airlink101\\mfp ps utility\\rmvusb.exe"= TCP:C:\program files\airlink101\mfp ps utility\rmvusb.exe:Airlink101 MFP PS Utility
"TCP Query User{2A25B556-A4F5-474F-A531-4C0319E64901}C:\\program files\\wolfenstein - enemy territory\\et.exe"= UDP:C:\program files\wolfenstein - enemy territory\et.exe:ET
"UDP Query User{86CD0BE7-ACEF-4B72-8881-5D3AC21C6563}C:\\program files\\wolfenstein - enemy territory\\et.exe"= TCP:C:\program files\wolfenstein - enemy territory\et.exe:ET
"TCP Query User{6FFF343D-91D0-4C9F-A027-91E3B15359DC}C:\\program files\\diablo ii\\game.exe"= UDP:C:\program files\diablo ii\game.exeiablo II
"UDP Query User{A3D28B3F-A3F8-4630-BC4D-E2A9A2A6F3CB}C:\\program files\\diablo ii\\game.exe"= TCP:C:\program files\diablo ii\game.exeiablo II
"{D0DAA25B-0AA2-449C-9599-863B3E704FF5}"= UDP:C:\Program Files\DNA\btdna.exeNA
"{9B349125-FDCB-47EA-B04C-754627AE48B8}"= TCP:C:\Program Files\DNA\btdna.exeNA
"{DB27DB05-66F5-4857-AC88-4FAA722DD3C4}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{6FFEAD6E-6561-428D-8B22-3D69C0545096}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{A90E546C-BC9E-48A5-B8C1-70E5FAF7675E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{D7FBC47E-ABFE-4572-B45F-B05A77E724F1}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{4946D078-93E6-494C-8F7C-8FB68E06A471}"= UDP:9567:BitComet 9567 TCP
"{266AA8DF-71D8-4C88-9F09-185117E4B26C}"= TCP:9567:BitComet 9567 UDP
"TCP Query User{5CD403A2-388D-45C4-A0C2-AA78CE7698C5}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{2CBF23B8-86DA-4117-9178-C494398266EE}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{ED0F93BA-3622-4E3E-985F-8F55215DABBB}C:\\program files\\america's army\\system\\armyops.exe"= UDP:C:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{D0BBEE65-A549-400A-BCD2-79B3F2E43915}C:\\program files\\america's army\\system\\armyops.exe"= TCP:C:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{1CBFEF77-4ACC-4387-8FB1-EF8BA27D3684}C:\\program files\\steam\\steamapps\\aflipzkidn\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\aflipzkidn\team fortress 2\hl2.exe:hl2
"UDP Query User{40A07C31-C8C4-4240-B5DB-C95CDEECEF50}C:\\program files\\steam\\steamapps\\aflipzkidn\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\aflipzkidn\team fortress 2\hl2.exe:hl2
"TCP Query User{71D6E8BB-4946-4CFE-8C2C-C6D79EA86D7F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{492CE8D1-CF3D-46F2-8F9A-465059D59550}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{0B73B744-8FCF-422E-90F2-598454BE2873}"= UDP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{5325DD54-BF0D-4634-8BC5-C5EB5FFF47AA}"= TCP:C:\ProgramData\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{45C67361-D039-47A2-9490-9D17C26092CF}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F366CBF9-9700-4392-87A2-269C59C51C22}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= C:\Acer\Empowering Technology\eDataSecurity\eDSfsu.exe:Enabled:eDSfsu
"C:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\encryption.exe:Enabled:encryption
"C:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\decryption.exe:Enabled:decryption
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:Enabled:BitTorrent
"C:\\Program Files\\Combat Arms\\CombatArms.exe"= C:\Program Files\Combat Arms\CombatArms.exeEnabled:CombatArms.exe
"C:\\Program Files\\Combat Arms\\Engine.exe"= C:\Program Files\Combat Arms\Engine.exeEnabled:Engine.exe

R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-04-12 22:45]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSGB6.sys [2007-01-22 01:09]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28.sys [2007-11-21 03:17]
S3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\system32\DRIVERS\RTL85n86.sys [2007-03-12 17:49]
S3 SiS6350;SiS6350;C:\Windows\system32\DRIVERS\SISGRKMD.sys [2007-06-05 04:08]
S4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-06-21 18:33]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SrvDsc - C:\Windows\system32\afkzcjwf.exe
HKLM-Explorer_Run-IpcwZdhOzZ - C:\ProgramData\hchefwvk\rutonsfy.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 20:55:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Windows\System32\PnkBstrA.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-25 20:58:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 03:57:59
ComboFix2.txt 2008-07-25 15:11:09

Pre-Run: 70,614,736,896 bytes free
Post-Run: 70,516,576,256 bytes free

285 --- E O F --- 2008-07-25 13:32:38



Acer Arcade Live Main Page
Acer Assist
Acer DV Magician
Acer DVDivine
Acer HomeMedia
Acer HomeMedia Connect
Acer Registration
Acer ScreenSaver
Acer SlideShow DVD
Acer VideoMagician
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Agatha Christie - Murder on the Orient Express
AGEIA PhysX v7.11.13
Airlink101 Cardbus & PCI Wireless Configuration Utility
Airlink101 MFP PS Utility
Airlink101 WLAN Monitor
ANIO Service
ANIWZCS2 Service
Apple Mobile Device Support
Apple Software Update
AVG 7.5
Bonjour
CCleaner (remove only)
CDDRV_Installer
Download Manager 2.3.6
ESET Online Scanner
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 7
KhalInstallWrapper
LimeWire 4.18.3
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 Parser and SDK
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
OpenAL
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
SiS VGA Utilities
Ventrilo Client
WinRAR archiver
World of Warcraft
Xvid 1.1.3 final uninstall
Reply With Quote