Announcement

Collapse
No announcement yet.

Another Virus?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Another Virus?

    OK, ran Combofix and noticed on reboot a file called "CatchMe" scooting around the task manager.

    Friend r foe?

    Also, Avira seems to be blocked and Housecall can't seem to load.

    Heres the HJT log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:03:41 AM, on 6/25/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\system32\E_S00RP1.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.ex e
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\tppaldr.exe
    C:\WINDOWS\system32\shpc32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M 1.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\SQUEEZ~1\server\SQUEEZ~1.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Documents and Settings\Ninjahedge\Desktop\RootkitRevealer.exe
    C:\DOCUME~1\NINJAH~1\LOCALS~1\Temp\UTDFPET.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
    O4 - HKLM\..\Run: [xkstartup] RunDll32 InstZ82.dll,SetUsbPrinterPort
    O4 - HKLM\..\Run: [SHPC32] shpc32.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M 1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX600 (from SILVER_2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M 1.EXE /P40 "EPSON Stylus Photo RX600 (from SILVER_2)" /O5 "TS001" /M "Stylus Photo RX600"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX600 on SILVER_2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M 1.EXE /P41 "Auto EPSON Stylus Photo RX600 on SILVER_2" /O22 "\\SILVER_2\EPSON Color" /M "Stylus Photo RX600"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: SqueezeCenter Tray Tool.lnk = C:\Program Files\SqueezeCenter\SqueezeTray.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.3.0.97.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{263CDDD2-764F-440A-8447-5A41D8808460}: NameServer = 71.250.0.12,68.237.161.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{263CDDD2-764F-440A-8447-5A41D8808460}: NameServer = 71.250.0.12,68.237.161.12
    O17 - HKLM\System\CS3\Services\Tcpip\..\{263CDDD2-764F-440A-8447-5A41D8808460}: NameServer = 71.250.0.12,68.237.161.12
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NetSentinel - Rainbow Technologies, Inc. - C:\WINDOWS\system32\Nssrvice.exe
    O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.ex e
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: UTDFPET - Sysinternals - www.sysinternals.com - C:\DOCUME~1\NINJAH~1\LOCALS~1\Temp\UTDFPET.exe
    --
    End of file - 12267 bytes

    If any more info is needed, let me know...



    Edit: Oh, I looked up some of the files in bold and green, they seem to be OK.

    I have no idea how I have Leximark drivers on my machine, but I do, and I have never seen this many entries on this machine before. A lot seem to be toolbar settings and, ironically, things like Antivirus/spyware butons, updaters and the like...
    Last edited by Ninjahedge; 06-26-2009, 01:05 PM.

  • #2
    OK, that looks WAY too big, but I will try a safe mode when I come home tonight.

    Heres the Rootkit scan:

    HKU\.DEFAULT\Control Panel\International 1/6/2009 12:51 AM 0 bytes Security mismatch.
    HKU\.DEFAULT\Control Panel\International\Geo 1/6/2009 12:51 AM 0 bytes Security mismatch.
    HKU\S-1-5-21-1715567821-1425521274-682003330-1003\Console 6/25/2009 7:48 AM 0 bytes Security mismatch.
    HKU\S-1-5-21-1715567821-1425521274-682003330-1003\Console\cmd.exe 6/25/2009 7:48 AM 0 bytes Security mismatch.
    HKU\S-1-5-21-1715567821-1425521274-682003330-1003\Control Panel\International 1/6/2009 12:51 AM 0 bytes Security mismatch.
    HKU\S-1-5-21-1715567821-1425521274-682003330-1003\Control Panel\International\Geo 1/6/2009 12:51 AM 0 bytes Security mismatch.
    HKU\S-1-5-18\Control Panel\International 1/6/2009 12:51 AM 0 bytes Security mismatch.
    HKU\S-1-5-18\Control Panel\International\Geo 1/6/2009 12:51 AM 0 bytes Security mismatch.
    HKLM\SECURITY\Policy\Secrets\SAC* 9/2/2004 12:01 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI* 9/2/2004 12:00 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 6/25/2009 7:59 AM 80 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SOFTWARE\swearware\backup\winsock2 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \NameSpace_Catalog5 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \NameSpace_Catalog5\Catalog_Entries 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \NameSpace_Catalog5\Catalog_Entries\000000000001 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \NameSpace_Catalog5\Catalog_Entries\000000000002 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \NameSpace_Catalog5\Catalog_Entries\000000000003 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \NameSpace_Catalog5\Catalog_Entries\000000000004 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000001 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000002 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000003 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000004 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000005 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000006 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000007 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000008 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000009 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000010 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000011 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000012 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000013 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000014 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000015 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000016 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000017 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SOFTWARE\swearware\backup\winsock2\Parameters \Protocol_Catalog9\Catalog_Entries\000000000018 6/25/2009 7:31 AM 0 bytes Security mismatch.
    HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 1/5/2009 7:57 PM 0 bytes Access is denied.
    C:\Documents and Settings\Ninjahedge\Cookies\ninjahedge@google[1].txt 6/21/2009 6:07 PM 346 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Ninjahedge\Cookies\ninjahedge@google[2].txt 6/25/2009 8:01 AM 348 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Cookies\ninjahedge@techsupport team[2].txt 6/25/2009 8:01 AM 578 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temp\~DF36DD.tmp 6/25/2009 8:03 AM 112.00 KB Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\ads[1].htm 6/25/2009 8:02 AM 5.09 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\favicon[1].ico 6/25/2009 8:00 AM 318 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\favicon[2].ico 6/25/2009 8:00 AM 9.90 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\gradient_alt[1].gif 6/25/2009 8:01 AM 165 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\gradient_tcat[1].gif 6/25/2009 8:01 AM 260 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\lofiprint[1].css 6/25/2009 8:02 AM 281 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\quote[1].gif 6/25/2009 8:01 AM 851 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\render_ads[1].js 6/25/2009 8:02 AM 289 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\search[1] 6/25/2009 8:01 AM 541 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\search[2] 6/25/2009 8:01 AM 71 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\search[2].htm 6/25/2009 8:01 AM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\sma7[1].js 6/25/2009 8:02 AM 2.78 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\vbulletin_global[1].js 6/25/2009 8:01 AM 24.47 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\6J0BIWDG\vbulletin_important[1].css 6/25/2009 8:01 AM 1.65 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\19563-post15[1].htm 6/25/2009 8:01 AM 29.31 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\avatar67_15[1].gif 6/25/2009 8:01 AM 3.47 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\favicon[3].ico 6/25/2009 8:00 AM 3 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\fruits_cherry[1].gif 6/25/2009 8:02 AM 671 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\gadget_suggest_window[1] 6/25/2009 8:01 AM 172 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\lofiscreen[1].css 6/25/2009 8:02 AM 2.86 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\ncode_imageresizer[1].js 6/25/2009 8:01 AM 9.24 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\photo[1].png 6/25/2009 8:01 AM 220 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\search[1] 6/25/2009 8:01 AM 566 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\search[2].htm 6/25/2009 8:01 AM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\show_ads[1].js 6/25/2009 8:02 AM 33.70 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\sma[1].png 6/25/2009 8:02 AM 728 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\DMCUOB7T\tstbarog3[1].png 6/25/2009 8:01 AM 7.26 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\abg-en-100c-000000[1].png 6/25/2009 8:02 AM 1006 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\badge80x15[1].png 6/25/2009 8:01 AM 1.41 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\connection-min[1].js 6/25/2009 8:01 AM 14.01 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\expansion_embed[1].js 6/25/2009 8:02 AM 42.78 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\favicon[1].ico 6/25/2009 8:00 AM 3 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\gadget_loading[1] 6/25/2009 8:01 AM 212 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\lofihandheld[1].css 6/25/2009 8:02 AM 281 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\reputation_pos[1].gif 6/25/2009 8:01 AM 301 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\search[1] 6/25/2009 8:01 AM 116 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\user_offline[1].gif 6/25/2009 8:01 AM 1.00 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\vbulletin_ajax_reputati on[1].js 6/25/2009 8:01 AM 4.90 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\welcome[1].gif 6/25/2009 8:02 AM 3.24 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\MV8GRXPC\yahoo-dom-event[1].js 6/25/2009 8:01 AM 30.37 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\ads[1].htm 6/25/2009 8:02 AM 12.27 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\favicon[2].ico 6/25/2009 8:00 AM 9.90 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\favicon[3].ico 6/25/2009 8:02 AM 1.37 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\gradient_thead[1].gif 6/25/2009 8:01 AM 146 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\post_old[1].gif 6/25/2009 8:01 AM 522 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\search[1] 6/25/2009 8:01 AM 517 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\search[2].htm 6/25/2009 8:01 AM 23.17 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\search[3].htm 6/25/2009 8:01 AM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\search[4].htm 6/25/2009 8:02 AM 11 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\t132566[1].htm 6/25/2009 8:02 AM 21.41 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\test_domain[1].js 6/25/2009 8:02 AM 54 bytes Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\vbulletin_lightbox[1].js 6/25/2009 8:01 AM 10.02 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Local Settings\Temporary Internet Files\Content.IE5\PIJIJEOB\vbulletin_menu[1].js 6/25/2009 8:01 AM 9.17 KB Hidden from Windows API.
    C:\Documents and Settings\Ninjahedge\Recent\DSK1_VOL1 (C).lnk 6/25/2009 8:03 AM 342 bytes Visible in directory index, but not Windows API or MFT.
    C:\Documents and Settings\Ninjahedge\Recent\hijackthis 06-25-09.log.lnk 6/25/2009 8:03 AM 433 bytes Visible in directory index, but not Windows API or MFT.
    C:\System Volume Information\_restore{5E1F2466-0A70-4985-9F0E-6501C70510F7}\RP99\A0008235.lnk 5/29/2009 12:04 AM 849 bytes Visible in directory index, but not Windows API or MFT.

    Comment


    • #3
      CatchMe is part of combofix. Be careful with ComboFix - take it slow and follow the readme.
      When you girls are done kissing, I've got some asskicking for you!

      Comment


      • #4
        I have run it once before, but I think I need to run it in Safe mode, if I rememebr right.

        I should also try and run these other proggies in safe mode to get a cleaner record...

        The thing that makes me suspicious is not being able to update Antivir and not being able to use Housecall. I think something is blocking it.

        Comment

        Working...
        X