ComboFix 08-05-19.4 - CarlM 2008-05-20 17:46:25.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.195 [GMT -5:00] Running from: C:\temp\debug\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 ))))))))))))))))))))))))))))))) . 2008-05-19 16:19 . 2008-05-19 16:19 d-------- C:\_OTMoveIt 2008-05-19 16:12 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-05-19 16:11 . 2008-05-19 16:11 d-------- C:\Program Files\Common Files\Java 2008-05-19 08:33 . 2008-05-19 08:33 d-------- C:\Deckard 2008-05-13 16:48 . 2008-05-19 08:16 d-------- C:\WINDOWS\SxsCaPendDel 2008-05-12 22:43 . 2008-05-12 22:48 536,268,800 --ah----- C:\hiberfil.sys.szcpf 2008-05-12 09:25 . 2008-05-12 12:27 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2008-05-12 09:23 . 2008-05-12 09:23 d-------- C:\Program Files\Common Files\iS3 2008-05-12 09:23 . 2008-05-13 16:48 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2008-05-12 07:49 . 2008-05-12 07:49 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2008-05-12 07:18 . 2008-05-12 07:18 812,344 --a------ C:\temp\HJTInstall.exe 2008-05-12 07:11 . 2008-05-12 07:11 167,608 --a------ C:\temp\FxIstbar.exe 2008-05-11 19:09 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-11 19:09 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-10 23:24 . 2008-05-13 16:50 d-------- C:\Program Files\Enigma Software Group 2008-05-10 23:22 . 2008-05-10 23:24 7,591,272 --a------ C:\temp\Free-SpyHunter-Scanner-Install.exe 2008-05-05 14:05 . 2008-05-05 14:05 d-------- C:\Documents and Settings\CarlM\Application Data\Malwarebytes 2008-05-05 14:04 . 2008-05-11 19:09 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-05 14:04 . 2008-05-05 14:04 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-05 14:03 . 2008-05-05 14:03 1,546,928 --a------ C:\temp\mbam-setup.exe 2008-05-05 12:48 . 2008-05-05 12:48 d-------- C:\temp\backup 2008-05-05 06:55 . 2008-05-05 12:48 d-------- C:\temp\report 2008-05-05 06:55 . 2008-05-20 17:31 d-------- C:\temp\debug 2008-05-05 06:55 . 2008-05-05 13:17 3,973 --a------ C:\temp\sysclean.log 2008-05-05 06:53 . 2008-05-05 06:53 23,646,196 --a------ C:\temp\lpt255.zip 2008-05-05 06:52 . 2008-05-05 06:52 510,898 --a------ C:\temp\sspda6_637.zip 2008-05-05 06:51 . 2008-05-05 06:51 4,662,144 --a------ C:\temp\sysclean.com 2008-05-05 00:37 . 2008-05-11 20:29 dr-h----- C:\$VAULT$.AVG 2008-05-03 15:52 . 2008-05-03 15:52 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-05-03 15:52 . 2008-05-04 22:53 d-------- C:\Documents and Settings\CarlM\Application Data\AVG7 2008-05-03 15:51 . 2008-05-03 15:51 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-05-03 15:51 . 2008-05-04 22:53 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-05-02 18:30 . 2008-05-02 18:30 d-------- C:\temp\maxsv15 2008-05-02 18:30 . 2008-05-02 18:33 209,749 --a------ C:\temp\nxSUbt99.exe 2008-05-02 07:11 . 2008-05-02 07:09 691,545 --a------ C:\WINDOWS\unins000.exe 2008-05-02 07:11 . 2008-05-02 07:11 2,543 --a------ C:\WINDOWS\unins000.dat 2008-05-02 07:07 . 2008-05-19 08:47 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-28 17:41 . 2008-04-28 17:42 d-------- C:\Program Files\MTV Virtual World 2008-04-20 20:33 . 2008-04-20 20:33 d-------- C:\Program Files\NovaLogic 2008-04-20 20:25 . 2008-04-20 20:26 d-------- C:\temp\dfx_demo_05172005_xx 2008-04-20 20:22 . 2008-04-20 20:25 304,202,714 --a------ C:\temp\dfx_demo_05172005_xx.zip . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-19 21:12 --------- d-----w C:\Program Files\Java 2008-05-19 13:47 --------- d-----w C:\Program Files\SpywareBlaster 2008-05-19 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-12 12:18 --------- d-----w C:\Program Files\Trend Micro 2008-05-03 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-05-03 00:35 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-05-02 12:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-04-21 01:33 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll 2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll . ((((((((((((((((((((((((((((( snapshot@2008-05-20_17.29.49.25 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-20 22:09:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-20 22:33:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-05-20 22:14:05 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-05-20 22:37:41 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-05-20 22:14:05 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-05-20 22:37:41 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:40 68856] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] "HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 16:12 630784] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 18:41 88363 C:\WINDOWS\AGRSMMSG.exe] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-24 18:45 335872] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 16:05 200766] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 19:19 290816] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-11-08 20:48 458752] "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-03-29 04:42 36864] "StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 12:52 61440] "TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 10:31 184320] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-12 08:35 98304] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-03 15:58 579584] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-03 15:51 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-10-17 18:50:24 82026] HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08 471040] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\palmOne\\Hotsync.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "C:\\Program Files\\NovaLogic\\Delta Force Xtreme Demo\\DFXDemo.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= R2 cpextender;Check Point SSL Network Extender;C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [2005-02-10 13:26] R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49] R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2002-04-22 14:50] R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-04-30 23:16] R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50] R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2007-07-26 10:23] R3 VNA;Check Point Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\vna.sys [2005-02-10 13:26] R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-08-04 21:00] S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-04-30 23:16] S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2002-04-30 23:09] S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2005-12-15 02:41] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d282a1b-733e-11dc-8d7d-444553544200}] \Shell\AutoRun\command - E:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93baac20-5192-11dc-8d53-444553544200}] \Shell\AutoRun\command - E:\PortableVault.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-20 17:48:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????0?8?9?1??????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\Ati2evxx.dll . Completion time: 2008-05-20 17:48:54 ComboFix-quarantined-files.txt 2008-05-20 22:48:50 ComboFix2.txt 2008-05-20 22:29:59 Pre-Run: 27,717,394,432 bytes free Post-Run: 27,704,291,328 bytes free 166 --- E O F --- 2008-05-16 01:24:56