ComboFix 08-03-20.5 - Cortney 2008-03-20 20:15:06.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.152 [GMT -6:00] Running from: C:\Documents and Settings\Cortney\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Cortney\ResErrors.log C:\WINDOWS\system32\_002285_.tmp.dll C:\WINDOWS\system32\_002291_.tmp.dll C:\WINDOWS\system32\_002294_.tmp.dll C:\WINDOWS\system32\_002297_.tmp.dll C:\WINDOWS\system32\_002455_.tmp.dll C:\WINDOWS\system32\_002456_.tmp.dll C:\WINDOWS\system32\_002457_.tmp.dll C:\WINDOWS\system32\_002458_.tmp.dll C:\WINDOWS\system32\_002461_.tmp.dll C:\WINDOWS\system32\_002462_.tmp.dll C:\WINDOWS\system32\_002463_.tmp.dll C:\WINDOWS\system32\_002464_.tmp.dll C:\WINDOWS\system32\_002471_.tmp.dll C:\WINDOWS\system32\_002472_.tmp.dll C:\WINDOWS\system32\_002473_.tmp.dll C:\WINDOWS\system32\_002475_.tmp.dll C:\WINDOWS\system32\_002476_.tmp.dll C:\WINDOWS\system32\_002479_.tmp.dll C:\WINDOWS\system32\_002480_.tmp.dll C:\WINDOWS\system32\_002482_.tmp.dll C:\WINDOWS\system32\_002483_.tmp.dll C:\WINDOWS\system32\_002484_.tmp.dll C:\WINDOWS\system32\_002486_.tmp.dll C:\WINDOWS\system32\_002487_.tmp.dll C:\WINDOWS\system32\_002489_.tmp.dll C:\WINDOWS\system32\_002493_.tmp.dll C:\WINDOWS\system32\_002494_.tmp.dll C:\WINDOWS\system32\_002496_.tmp.dll C:\WINDOWS\system32\_002499_.tmp.dll C:\WINDOWS\system32\_002501_.tmp.dll C:\WINDOWS\system32\_002502_.tmp.dll C:\WINDOWS\system32\_002503_.tmp.dll C:\WINDOWS\system32\_002504_.tmp.dll C:\WINDOWS\system32\_002507_.tmp.dll C:\WINDOWS\system32\_002509_.tmp.dll C:\WINDOWS\system32\_002510_.tmp.dll C:\WINDOWS\system32\_002511_.tmp.dll C:\WINDOWS\system32\_002515_.tmp.dll . ((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 ))))))))))))))))))))))))))))))) . 2008-03-20 20:13 . 2008-03-20 20:13 d-------- C:\ComboFix(2) 2008-03-20 17:44 . 2008-03-20 17:44 d-------- C:\Documents and Settings\Cortney\Application Data\Malwarebytes 2008-03-20 17:43 . 2008-03-20 17:43 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-20 17:41 . 2008-03-20 17:41 d-------- C:\_OTMoveIt 2008-03-19 22:23 . 2008-03-19 22:23 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico 2008-03-14 23:36 . 2008-03-14 23:36 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-14 21:00 . 2008-03-14 22:26 d-------- C:\Program Files\SUPERAntiSpyware 2008-03-14 21:00 . 2008-03-14 22:27 d-------- C:\Documents and Settings\Cortney\Application Data\SUPERAntiSpyware.com 2008-03-14 21:00 . 2008-03-14 21:00 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-03-11 10:13 . 2008-03-20 20:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-11 10:13 . 2008-03-20 20:17 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-15 03:59 --------- d-----w C:\Program Files\Trend Micro 2008-03-15 02:18 --------- d-----w C:\Program Files\Java 2008-03-11 15:40 --------- d-----w C:\Program Files\Lx_cats 2008-02-22 15:51 --------- d-----w C:\Program Files\Diet Analysis Plus 8.0 2008-02-19 17:00 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon 2008-02-15 02:24 --------- d-----w C:\Program Files\Roguescanfix 2008-02-15 02:24 --------- d-----w C:\Program Files\Alfa & Ariss 2008-02-04 15:31 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-04 15:23 --------- d-----w C:\Program Files\Yahoo! 2007-09-27 17:11 82,864 ----a-w C:\Documents and Settings\Cortney\Application Data\GDIPFONTCACHEV1.DAT 2004-07-18 06:55 460,728 ----a-w C:\WINDOWS\Fonts\SET5FF.tmp 2004-07-18 06:55 460,728 ----a-w C:\WINDOWS\Fonts\SET50E.tmp 2004-07-18 06:55 383,140 ----a-w C:\WINDOWS\Fonts\SET5FE.tmp 2004-07-18 06:55 383,140 ----a-w C:\WINDOWS\Fonts\SET50D.tmp 2004-07-18 06:55 355,436 ----a-w C:\WINDOWS\Fonts\SET5FD.tmp 2004-07-18 06:55 355,436 ----a-w C:\WINDOWS\Fonts\SET50C.tmp 2004-07-17 19:39 409,280 ----a-w C:\WINDOWS\Fonts\SET5FC.tmp 2004-07-17 19:39 409,280 ----a-w C:\WINDOWS\Fonts\SET50B.tmp 2004-07-17 19:39 398,372 ----a-w C:\WINDOWS\Fonts\SET5FB.tmp 2004-07-17 19:39 398,372 ----a-w C:\WINDOWS\Fonts\SET50A.tmp 2004-07-17 19:39 367,112 ----a-w C:\WINDOWS\Fonts\SET602.tmp 2004-07-17 19:39 367,112 ----a-w C:\WINDOWS\Fonts\SET511.tmp 2004-07-17 19:39 352,224 ----a-w C:\WINDOWS\Fonts\SET601.tmp 2004-07-17 19:39 352,224 ----a-w C:\WINDOWS\Fonts\SET510.tmp 2004-07-17 19:39 127,596 ----a-w C:\WINDOWS\Fonts\SET600.tmp 2004-07-17 19:39 127,596 ----a-w C:\WINDOWS\Fonts\SET50F.tmp . ((((((((((((((((((((((((((((( snapshot@2008-03-20_10.59.57.43 ))))))))))))))))))))))))))))))))))))))))) . - 2008-03-20 16:48:27 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT + 2008-03-21 02:15:03 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 05:24 65536] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 06:00 13312] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 02:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 02:07 114688] "AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 13:20 88363 C:\WINDOWS\agrsmmsg.exe] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 19:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 20:00 126976] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 17:01 1019904] "TPSMain"="TPSMain.exe" [2003-11-19 23:15 278528 C:\WINDOWS\system32\TPSMain.exe] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 11:39 159744] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 18:16 172032] "00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-04-15 22:01 258048] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29 40960] "TFNF5"="TFNF5.exe" [2003-10-15 18:03 73728 C:\WINDOWS\system32\TFNF5.exe] "TFncKy"="TFncKy.exe" [] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-11-20 19:24 26112] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-11-20 19:25 77824] "Lexmark 5200 series"="C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" [2004-03-25 07:30 57344] "000StTHK"="000StTHK.exe" [2001-06-23 22:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe] "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 12:42 69632] "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-06 23:56 188416] "LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 10:30 65536] "IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 19:09 842584] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 15:23:32 51776] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04 83360] Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmas\Tmas.exe [2006-03-07 19:42:20 1306624] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [2006-05-26 16:17 77824] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli scecli R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\System32\drivers\BsStor.sys [2002-06-06 03:07] S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys [2003-02-12 11:03] S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys [2003-05-14 19:38] . Contents of the 'Scheduled Tasks' folder "2006-12-14 07:45:35 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job" - c:\Program Files\Microsoft IntelliPoint\ipoint.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-20 20:20:53 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\Lexmark 5200 series\lxbtbmon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\TPSBattM.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe . ************************************************************************** . Completion time: 2008-03-20 20:22:46 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-21 02:22:36 ComboFix2.txt 2008-03-20 17:00:39