ComboFix 08-07-31.01 - Lynn Bodin 2008-07-31 18:57:14.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -5:00] Running from: C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\ComboFix.exe Command switches used :: C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Lynn Bodin\Application Data\inst.exe C:\Documents and Settings\Lynn Bodin\Application Data\macromedia\Flash Player\#SharedObjects\55Z2BLUH\interclick.com C:\Documents and Settings\Lynn Bodin\Application Data\macromedia\Flash Player\#SharedObjects\55Z2BLUH\interclick.com\ud.sol C:\Documents and Settings\Lynn Bodin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Lynn Bodin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\WINDOWS\g32.txt C:\WINDOWS\system32\_000003_.tmp.dll C:\WINDOWS\system32\_000004_.tmp.dll C:\WINDOWS\system32\_000006_.tmp.dll C:\WINDOWS\system32\_000008_.tmp.dll C:\WINDOWS\system32\_000009_.tmp.dll C:\WINDOWS\system32\_000010_.tmp.dll C:\WINDOWS\system32\_000011_.tmp.dll C:\WINDOWS\system32\_000019_.tmp.dll D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_LANMANDRV -------\Service_lanmandrv ((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 ))))))))))))))))))))))))))))))) . 2008-07-31 09:15 . 2008-07-31 09:15 d-------- C:\Program Files\Trend Micro 2008-07-29 10:54 . 2008-07-29 10:54 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-29 10:54 . 2008-07-29 10:54 d-------- C:\Documents and Settings\Lynn Bodin\Application Data\Malwarebytes 2008-07-29 10:54 . 2008-07-29 10:54 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-29 10:54 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-29 10:54 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-29 10:50 . 2008-07-31 19:03 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-28 15:14 . 2008-07-28 15:14 d-------- C:\Program Files\Lavasoft 2008-07-28 15:14 . 2008-07-28 15:15 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-07-28 15:13 . 2008-07-28 15:13 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-07-13 18:11 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-07-13 18:11 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys 2008-07-09 13:35 . 2008-07-09 13:38 d-------- C:\Backup drive c 2008-07-09 12:37 . 2008-07-09 13:31 d-------- C:\Program Files\Norton Ghost 2008-07-09 09:25 . 2008-07-09 09:49 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-07-08 14:50 . 2008-07-08 14:50 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk 2008-07-08 13:36 . 2008-07-08 15:05 d-------- C:\Program Files\DVDFab Platinum 4 2008-07-08 13:36 . 2008-07-24 10:29 d-------- C:\Documents and Settings\Lynn Bodin\Application Data\Vso 2008-07-08 13:36 . 2008-07-08 13:36 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2008-07-08 13:36 . 2008-07-08 13:36 47,360 --a------ C:\Documents and Settings\Lynn Bodin\Application Data\pcouffin.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-31 23:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-07-09 18:30 --------- d-----w C:\Documents and Settings\Lynn Bodin\Application Data\Symantec 2008-07-09 18:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-07-07 23:28 --------- d-----w C:\Program Files\Symantec 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys . [color=blue]Infected C:\WINDOWS\system32\user32.dll hex repaired[/color] ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "\\STUDY\EPSON Stylus Photo R260 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE" [2006-05-19 04:00 139264] "RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2008-07-08 16:41 2828184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 00:58 458752] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 23:03 36975] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 03:00 7585792] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 03:00 86016] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 00:01 761946] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 23:55 102400] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 18:30 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 18:30 81920] "Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 18:02 40960] "RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840] "\\STUDY\EPSON Stylus Photo R220 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 05:00 98304] "Auto EPSON Stylus Photo R220 Series (Copy 1) on STUDY"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 05:00 98304] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-17 20:13 98304] "PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 01:26 406016] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 17:47 51048] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 22:49 718704] "Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 19:09 1537648] "nwiz"="nwiz.exe" [2006-08-18 03:00 1617920 C:\WINDOWS\system32\nwiz.exe] "MsmqIntCert"="mqrt.dll" [2007-07-06 07:46 177152 C:\WINDOWS\system32\mqrt.dll] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 19:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 11:39:30 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg30.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\mqsvc.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe"= "C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod"= R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 17:47] S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 15:39] S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae58f950-4e36-11dd-84ab-001636713474}] \Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder 2008-07-29 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Lynn Bodin.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 06:05] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/ R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O17 -: HKLM\CCS\Interface\{12175245-21F3-40E8-9C9D-283176F0D7F6}: NameServer = 155.16.44.30,204.148.236.3 ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-31 19:04:56 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????