ComboFix 08-03-05.1 - Owner 2008-03-10 22:26:11.6 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.177 [GMT -4:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe C:\WINDOWS\pss\winlogin.exe C:\WINDOWS\system32\dmcompo.dll . ((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 ))))))))))))))))))))))))))))))) . 2008-03-05 23:03 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-03-05 21:35 . 2008-03-05 21:35 279 --a------ C:\Shortcut to Local Disk (C).lnk 2008-02-28 23:22 . 2008-02-28 23:22 d-------- C:\VundoFix Backups 2008-02-27 08:54 . 2008-02-27 08:54 d-------- C:\Program Files\Trend Micro 2008-02-27 00:58 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-02-27 00:42 . 2008-02-27 02:22 d-------- C:\WINDOWS\system32\ActiveScan 2008-02-27 00:42 . 2008-02-27 00:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-02-27 00:42 . 2008-02-27 00:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-02-27 00:42 . 2008-02-27 00:42 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-02-26 20:27 . 2008-02-26 20:27 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-02-26 20:26 . 2008-03-06 08:50 d-------- C:\Program Files\SUPERAntiSpyware 2008-02-26 20:26 . 2008-02-26 20:26 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-02-26 20:26 . 2008-02-26 20:26 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2008-02-26 01:30 . 2008-02-26 01:30 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-02-26 01:19 . 2008-02-26 01:19 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft 2008-02-26 01:18 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-02-23 22:36 . 2008-02-23 22:40 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-02-23 19:26 . 2008-02-23 19:25 691,545 --a------ C:\WINDOWS\unins000.exe 2008-02-23 19:26 . 2008-02-23 19:26 2,541 --a------ C:\WINDOWS\unins000.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-10 22:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7 2008-03-06 03:03 --------- d-----w C:\Program Files\Java 2008-03-05 22:03 --------- d-----w C:\Program Files\LimeWire 2008-02-29 04:55 --------- d-----w C:\Program Files\Viewpoint 2008-02-29 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-02-27 06:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-02-27 06:06 --------- d-----w C:\Program Files\QuickTime 2008-02-27 05:58 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-02-27 05:52 --------- d-----w C:\Program Files\Google 2008-02-26 05:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-25 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-02-25 19:41 --------- d-----w C:\Program Files\Samsung 2008-02-23 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-07 02:40 --------- d-----w C:\Program Files\Corel 2008-02-07 02:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield 2008-02-06 21:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM 2007-06-22 01:38 10,220 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat . ------- Sigcheck ------- 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe ----a-w 14,336 2004-08-12 14:06:49 C:\WINDOWS\system32\svchost.exe -c--a-w 14,336 2004-08-12 14:06:49 C:\WINDOWS\system32\dllcache\svchost.exe 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll ----a-w 82,944 2004-08-12 14:10:27 C:\WINDOWS\system32\ws2_32.dll -c--a-w 82,944 2004-08-12 14:10:27 C:\WINDOWS\system32\dllcache\ws2_32.dll 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe ----a-w 502,272 2004-08-12 14:09:30 C:\WINDOWS\system32\winlogon.exe -c--a-w 502,272 2004-08-12 14:09:30 C:\WINDOWS\system32\dllcache\winlogon.exe 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys -c--a-w 182,912 2004-08-12 14:01:38 C:\WINDOWS\system32\dllcache\ndis.sys -c--a-w 182,912 2004-08-12 14:01:38 C:\WINDOWS\system32\drivers\ndis.sys 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys -c--a-w 29,056 2004-08-12 13:58:08 C:\WINDOWS\system32\dllcache\ip6fw.sys ----a-w 29,056 2004-08-12 13:58:08 C:\WINDOWS\system32\drivers\ip6fw.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-12 23:24 68856] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36 1207080] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 12:39 1310720] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-26 22:43 282624] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-16 10:39 579072] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34 5419008] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 22:18 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" [2005-03-21 15:00 78848] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 12:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=4y1j82lpsrdecdr.dll.dll.dll.dll.dll.dll.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon] --a------ 2002-09-24 16:39 147456 C:\Program Files\Iomega\AutoDisk\ADUserMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2006-05-09 20:24 50760 C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg] --a------ 2004-08-12 10:04 11776 C:\WINDOWS\system32\regsvr32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet] --a------ 2002-09-30 02:00 45056 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] --a------ 2003-02-20 18:45 28672 C:\WINDOWS\system32\CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] --a------ 2002-10-29 10:18 49152 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920] --a------ 2004-04-15 04:32 270336 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a--c--- 2004-08-13 02:05 122939 C:\WINDOWS\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2004-08-23 19:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] --a------ 2007-05-12 23:25 1831424 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-06-20 22:36 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2006-05-09 20:24 50760 C:\Program Files\Common Files\AOL\1139706769\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] --a------ 2006-02-17 12:59 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPodManager] C:\Program Files\iPod\bin\iPodManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2005-12-20 21:54 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2006-01-17 13:03 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] --a------ 2007-05-29 21:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe] C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] --------- 2004-04-11 21:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-09-26 22:43 282624 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMDeviceManager] C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-05-12 23:24 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] --a------ 2004-11-15 20:40 95456 C:\PROGRA~1\SYMNET~1\SNDMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "SymWSC"=2 (0x2) "SNDSrvc"=2 (0x2) "SBService"=2 (0x2) "SAVScan"=3 (0x3) "ose"=3 (0x3) "navapsvc"=3 (0x3) "MDM"=2 (0x2) "LexBceS"=2 (0x2) "iPodService"=3 (0x3) "Creative Service for CDROM Access"=2 (0x2) "ccSetMgr"=2 (0x2) "ccProxy"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire 4.0.8\\LimeWire.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Common Files\\AOL\\1139706769\\ee\\aolsoftware.exe"= "C:\\Program Files\\Common Files\\AOL\\1139706769\\ee\\aim6.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbb48502-36a6-11d9-8ad4-0011114656b0}] \Shell\AutoRun\command - LinksysConnectPC.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-10 22:29:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . Completion time: 2008-03-10 22:30:51 ComboFix-quarantined-files.txt 2008-03-11 02:30:46 ComboFix2.txt 2008-03-10 01:14:02 ComboFix3.txt 2008-03-07 00:17:45 ComboFix4.txt 2008-03-06 02:13:32 ComboFix5.txt 2008-03-06 01:49:47 . 2008-02-23 22:19:59 --- E O F ---