ComboFix 08-06-03.1 - Marc Young 2008-06-03 21:57:58.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.270 [GMT -5:00] Running from: C:\Documents and Settings\Marc Young\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Marc Young\Desktop\WinXP_EN_HOM_BF.EXE * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 ))))))))))))))))))))))))))))))) . 2008-05-29 21:57 . 2008-05-29 21:57 d-------- C:\Program Files\Panda Security 2008-05-29 20:35 . 2008-06-02 21:34 d-------- C:\Program Files\SUPERAntiSpyware 2008-05-29 20:35 . 2008-05-29 20:35 d-------- C:\Documents and Settings\Marc Young\Application Data\SUPERAntiSpyware.com 2008-05-29 20:35 . 2008-05-29 20:35 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-05-29 20:34 . 2008-05-29 20:34 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-29 20:27 . 2008-05-29 20:27 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-29 20:27 . 2008-05-29 20:27 d-------- C:\Documents and Settings\Marc Young\Application Data\Malwarebytes 2008-05-29 20:27 . 2008-05-29 20:27 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-29 20:27 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys 2008-05-29 20:27 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-05-29 20:26 . 2008-05-29 20:26 d-------- C:\Program Files\Common Files\Download Manager 2008-05-27 21:27 . 2008-05-27 21:27 d-------- C:\_OTMoveIt 2008-05-27 20:47 . 2008-05-27 20:47 d-------- C:\Program Files\Trend Micro 2008-05-26 21:49 . 2008-05-26 23:18 d-------- C:\Program Files\a-squared Free 2008-05-26 21:48 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-05-26 21:47 . 2008-05-26 21:48 d-------- C:\Program Files\Java 2008-05-26 21:47 . 2008-05-26 21:47 d-------- C:\Program Files\Common Files\Java 2008-05-25 23:24 . 2008-05-25 23:24 d-------- C:\Program Files\Sophos 2008-05-25 20:37 . 2008-06-03 13:21 d--h----- C:\$AVG8.VAULT$ 2008-05-25 20:36 . 2008-05-25 20:36 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys 2008-05-25 20:36 . 2008-05-25 20:36 75,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys 2008-05-25 20:36 . 2008-05-25 20:36 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll 2008-05-25 20:35 . 2008-06-03 03:23 d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg 2008-05-25 20:35 . 2008-05-25 20:35 d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-05-25 20:30 . 2008-05-25 20:30 d-------- C:\Program Files\AVG 2008-05-25 09:56 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys 2008-05-25 09:56 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mouhid.sys 2008-05-25 09:56 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys 2008-05-25 09:56 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys 2008-05-18 20:16 . 2008-05-18 20:16 d-------- C:\Documents and Settings\Marc Young\Application Data\eakitwrg 2008-05-13 18:17 . 2008-05-13 18:17 d-------- C:\Program Files\PCPitstop 2008-05-13 18:17 . 2008-05-13 18:17 d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop 2008-05-10 11:53 . 2008-05-10 11:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-10 11:53 . 2008-05-10 11:53 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-05 17:55 . 2008-05-25 20:48 d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE 2008-05-05 17:54 . 2007-03-29 07:56 409,600 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\qmgr.dll 2008-05-05 17:54 . 2007-03-29 07:56 18,944 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\qmgrprxy.dll 2008-05-05 17:54 . 2007-03-29 07:56 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx4.dll 2008-05-05 17:54 . 2007-03-29 07:56 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx4.dll 2008-05-04 19:25 . 2008-05-04 19:25 d-------- C:\Program Files\Spybot - Search & Destroy 2008-05-04 19:25 . 2008-05-04 20:02 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-19 21:25 90,383 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_18_20_35_46_small.dmp.zip 2008-05-19 01:15 --------- d-----w C:\Program Files\Common Files\Mozilla Shared 2008-05-12 22:51 78,991 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_10_17_13_07_small.dmp.zip 2008-05-12 22:51 77,327 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_10_17_12_59_small.dmp.zip 2008-05-05 20:38 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-05-05 01:48 74,157 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_04_20_21_38_small.dmp.zip 2008-05-03 16:42 85,040 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_03_07_38_59_small.dmp.zip 2008-05-02 23:29 --------- d-----w C:\Program Files\Yahoo! 2008-05-02 23:29 --------- d-----w C:\Program Files\Common Files\Scanner 2008-04-29 23:05 86,487 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_04_29_17_57_01_small.dmp.zip 2008-04-27 18:13 --------- d-----w C:\Documents and Settings\Marc Young\Application Data\W Photo Studio Viewer 2008-04-26 12:28 1,446,878 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2008-04-26 01:45 196,608 ----a-w C:\WINDOWS\SYSTEM32\libssl32.dll 2008-04-26 01:45 1,015,808 ----a-w C:\WINDOWS\SYSTEM32\libeay32.dll 2008-04-26 01:44 20,608 ----a-w C:\WINDOWS\system32\drivers\ddwovrgc.dat 2008-04-25 00:52 --------- d-----w C:\Documents and Settings\Marc Young\Application Data\AdobeUM 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys 2004-09-04 13:13 0 -c-ha-w C:\Documents and Settings\Marc Young\hpothb07.dat . ((((((((((((((((((((((((((((( snapshot@2008-05-27_21.02.52.75 ))))))))))))))))))))))))))))))))))))))))) . + 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll + 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll + 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe + 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll + 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe + 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll - 2008-05-26 19:15:36 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT + 2008-05-30 08:07:39 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT + 2008-05-21 17:56:08 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll + 2007-07-18 19:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll + 2008-02-26 11:59:50 294,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msctf.dll - 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\SYSTEM32\msctf.dll + 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\SYSTEM32\msctf.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A07F6159-B4FE-4F9A-9CA1-65A6A967AFE0}] 2002-08-29 06:00 82432 --a------ c:\windows\system32\dmdskmgrp.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD1FB235-9549-4820-8759-78164F894D9B}] 2004-08-04 02:56 88064 --a------ C:\WINDOWS\system32\bthcil.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-15 01:51 755472] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-25 20:35 1177368] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ylyqiaos] dmdskmgrp.dll 2002-08-29 06:00 82432 C:\WINDOWS\SYSTEM32\dmdskmgrp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^Marc Young^Startup^Event Reminder.lnk] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] --a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a--c--- 2003-12-03 07:40 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a--c--- 2003-06-18 13:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize2 Reminder] --a------ 2008-01-31 13:54 145648 C:\Program Files\PCPitstop\Optimize2\Reminder.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] -----c--- 2003-08-26 20:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a--c--- 2004-02-06 02:58 77824 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-03-23 18:38 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a--c--- 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3866:TCP"= 3866:TCP:@xpsp2res.dll,-22009 "80:TCP"= 80:TCP:@xpsp2res.dll,-22009 "20190:TCP"= 20190:TCP:@xpsp2res.dll,-22009 "2271:TCP"= 2271:TCP:@xpsp2res.dll,-22009 "62746:TCP"= 62746:TCP:@xpsp2res.dll,-22009 "62165:TCP"= 62165:TCP:@xpsp2res.dll,-22009 R0 zostuvwi;zostuvwi;C:\WINDOWS\system32\drivers\zostuvwi.dat [] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-25 20:36] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-25 20:35] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-25 20:35] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-25 20:36] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38] S2 acmdvpkh;IP in IP Tunnel Controller;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56] S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\11.tmp [] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs acmdvpkh *Newly Created Service* - HTTPFILTER . Contents of the 'Scheduled Tasks' folder "2004-06-15 23:41:14 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1077064753.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe "2008-06-03 08:29:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-03 22:01:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\C:\WINDOWS\system32\11.tmp" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\zostuvwi] "ImagePath"="system32\drivers\zostuvwi.dat" . Completion time: 2008-06-03 22:04:56 ComboFix-quarantined-files.txt 2008-06-04 03:04:14 ComboFix2.txt 2008-05-28 02:42:59 ComboFix3.txt 2008-05-28 02:04:03 Pre-Run: 67,926,888,448 bytes free Post-Run: 67,903,811,584 bytes free WinXP_EN_HOM_BF.EXE [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 204 --- E O F --- 2008-05-30 08:01:28