ComboFix 08-07-31.01 - Lynn Bodin 2008-07-31 18:57:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -5:00]
Running from: C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Lynn Bodin\Application Data\inst.exe
C:\Documents and Settings\Lynn Bodin\Application Data\macromedia\Flash Player\#SharedObjects\55Z2BLUH\interclick.com
C:\Documents and Settings\Lynn Bodin\Application Data\macromedia\Flash Player\#SharedObjects\55Z2BLUH\interclick.com\ud.sol
C:\Documents and Settings\Lynn Bodin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Lynn Bodin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\g32.txt
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000019_.tmp.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_LANMANDRV
-------\Service_lanmandrv
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.
2008-07-31 09:15 . 2008-07-31 09:15
d-------- C:\Program Files\Trend Micro
2008-07-29 10:54 . 2008-07-29 10:54 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-29 10:54 . 2008-07-29 10:54 d-------- C:\Documents and Settings\Lynn Bodin\Application Data\Malwarebytes
2008-07-29 10:54 . 2008-07-29 10:54 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 10:54 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-29 10:54 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 10:50 . 2008-07-31 19:03 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-28 15:14 . 2008-07-28 15:14 d-------- C:\Program Files\Lavasoft
2008-07-28 15:14 . 2008-07-28 15:15 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 15:13 . 2008-07-28 15:13 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-13 18:11 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-13 18:11 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-09 13:35 . 2008-07-09 13:38 d-------- C:\Backup drive c
2008-07-09 12:37 . 2008-07-09 13:31 d-------- C:\Program Files\Norton Ghost
2008-07-09 09:25 . 2008-07-09 09:49 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-08 14:50 . 2008-07-08 14:50 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-07-08 13:36 . 2008-07-08 15:05 d-------- C:\Program Files\DVDFab Platinum 4
2008-07-08 13:36 . 2008-07-24 10:29 d-------- C:\Documents and Settings\Lynn Bodin\Application Data\Vso
2008-07-08 13:36 . 2008-07-08 13:36 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-08 13:36 . 2008-07-08 13:36 47,360 --a------ C:\Documents and Settings\Lynn Bodin\Application Data\pcouffin.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 23:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-09 18:30 --------- d-----w C:\Documents and Settings\Lynn Bodin\Application Data\Symantec
2008-07-09 18:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-07 23:28 --------- d-----w C:\Program Files\Symantec
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
.
[color=blue]Infected C:\WINDOWS\system32\user32.dll hex repaired[/color]
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\STUDY\EPSON Stylus Photo R260 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE" [2006-05-19 04:00 139264]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2008-07-08 16:41 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 00:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 23:03 36975]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 03:00 7585792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 03:00 86016]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 00:01 761946]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 23:55 102400]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 18:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 18:30 81920]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 18:02 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"\\STUDY\EPSON Stylus Photo R220 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 05:00 98304]
"Auto EPSON Stylus Photo R220 Series (Copy 1) on STUDY"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 05:00 98304]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-17 20:13 98304]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 17:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 22:49 718704]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 19:09 1537648]
"nwiz"="nwiz.exe" [2006-08-18 03:00 1617920 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2007-07-06 07:46 177152 C:\WINDOWS\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 19:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 11:39:30 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe"=
"C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod"=
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 17:47]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 15:39]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae58f950-4e36-11dd-84ab-001636713474}]
\Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-07-29 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Lynn Bodin.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 06:05]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{12175245-21F3-40E8-9C9D-283176F0D7F6}: NameServer = 155.16.44.30,204.148.236.3
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 19:04:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????@? ????^??????Y?@?????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\STUDY\\EPSON Stylus Photo R260 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBNA.EXE /FU \"C:\\DOCUME~1\\LYNNBO~1\\LOCALS~1\\Temp\\E_SC.tmp\" /EF \"HKCU\""
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-07-31 19:07:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 00:07:40
Pre-Run: 20,628,668,416 bytes free
Post-Run: 21,947,617,280 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
192 --- E O F --- 2008-07-09 12:59:18