ComboFix 08-08-21.02 - Nate 2008-08-23 19:21:09.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2424 [GMT -7:00] Running from: C:\Documents and Settings\Nate\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Nate\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Nate\Application Data\inst.exe C:\WINDOWS\system32\x64 . ((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 ))))))))))))))))))))))))))))))) . 2008-08-22 17:12 . 1999-09-10 04:06 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll 2008-08-22 17:12 . 1999-09-10 04:06 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys 2008-08-22 17:12 . 1999-09-10 04:06 5,600 --a------ C:\WINDOWS\system\winaspi.dll 2008-08-22 17:12 . 1999-09-10 04:06 4,672 --a------ C:\WINDOWS\system\wowpost.exe 2008-08-22 16:08 . 2008-08-22 16:08 d-------- C:\Program Files\zuwxokd 2008-08-19 19:03 . 2008-08-19 19:03 77,824 --a------ C:\WINDOWS\system32\efsxmlgj.exe 2008-08-19 11:35 . 2008-08-23 19:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-19 11:35 . 2008-08-19 11:35 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-19 11:27 . 2008-08-19 11:27 d-------- C:\WINDOWS\system32\scripting 2008-08-19 11:27 . 2008-08-19 11:27 d-------- C:\WINDOWS\system32\en 2008-08-19 11:27 . 2008-08-19 11:27 d-------- C:\WINDOWS\system32\bits 2008-08-19 11:27 . 2008-08-19 11:27 d-------- C:\WINDOWS\l2schemas 2008-08-19 11:25 . 2008-08-19 11:25 d-------- C:\WINDOWS\ServicePackFiles 2008-08-19 11:22 . 2008-08-19 11:22 d-------- C:\WINDOWS\EHome 2008-08-19 11:13 . 2008-04-13 17:11 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll 2008-08-17 22:38 . 2008-08-22 15:45 d-------- C:\Program Files\XoftSpySE 2008-08-17 18:37 . 2008-08-17 18:38 d-------- C:\Program Files\Ashampoo AntiSpyWare 2 2008-08-16 22:27 . 2008-08-16 22:27 d-------- C:\Program Files\Enigma Software Group 2008-08-16 21:44 . 2008-08-18 09:33 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-16 21:42 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2008-08-16 21:42 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2008-08-16 21:42 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2008-08-16 21:42 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2008-08-16 21:42 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll 2008-08-15 16:51 . 2008-08-15 16:51 d-------- C:\Program Files\SUPERAntiSpyware 2008-08-15 16:51 . 2008-08-15 16:51 d-------- C:\Documents and Settings\Nate\Application Data\SUPERAntiSpyware.com 2008-08-15 16:51 . 2008-08-15 16:51 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-15 09:41 . 2008-08-16 22:19 d-------- C:\Documents and Settings\Nate\.housecall6.6 2008-08-15 09:14 . 2008-08-15 17:41 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-15 09:14 . 2008-08-15 09:14 d-------- C:\Documents and Settings\Nate\Application Data\Malwarebytes 2008-08-15 09:14 . 2008-08-15 09:14 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-15 09:14 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-15 09:14 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-14 23:06 . 2008-08-14 23:06 d-------- C:\WINDOWS\Common 2008-08-14 23:06 . 2008-08-14 23:06 d-------- C:\Documents and Settings\All Users\Application Data\nadujqze 2008-08-13 00:58 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-13 00:53 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-07 07:11 . 2008-08-07 07:12 d-------- C:\Program Files\Safari 2008-08-06 18:56 . 2007-03-17 15:12 303,104 --a------ C:\WINDOWS\lame_enc.dll 2008-08-03 22:28 . 2008-08-03 22:28 d-------- C:\Program Files\Audacity 2008-08-01 15:52 . 2008-08-01 15:52 d-------- C:\Program Files\LG Electronics 2008-08-01 15:52 . 2007-04-09 09:55 22,912 --a------ C:\WINDOWS\system32\drivers\lgusbmodem.sys 2008-08-01 15:52 . 2007-04-09 09:56 21,248 --a------ C:\WINDOWS\system32\drivers\lgusbdiag.sys 2008-08-01 15:52 . 2007-04-09 09:53 12,672 --a------ C:\WINDOWS\system32\drivers\lgusbbus.sys 2008-07-25 19:13 . 2008-07-25 19:13 d-------- C:\Documents and Settings\Nate\Application Data\Flickr 2008-07-25 19:05 . 2008-07-28 18:32 d-------- C:\Program Files\Flickr Uploadr . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-22 06:09 --------- d-----w C:\Documents and Settings\Nate\Application Data\uTorrent 2008-08-17 00:35 --------- d-----w C:\Program Files\AIM6 2008-08-15 23:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-08-15 23:26 --------- d-----w C:\Program Files\Hijack This 2008-08-10 04:27 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-07 14:12 --------- d-----w C:\Documents and Settings\Nate\Application Data\Apple Computer 2008-08-06 01:39 --------- d-----w C:\Program Files\Netscape Navigator 9 2008-08-01 22:52 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-29 05:13 --------- d-----w C:\Program Files\BitPim 2008-07-26 01:37 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-13 17:37 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-13 17:37 12,936 ----a-w C:\WINDOWS\system32\drivers\avgrkx86.sys 2008-07-13 17:37 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll 2008-07-11 10:19 --------- d-----w C:\Program Files\DAP 2008-07-10 16:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll 2008-06-28 22:22 --------- d-----w C:\Program Files\QPST 2008-06-24 17:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll 2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-02 01:48 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-05-25 17:41 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll 2008-05-25 17:41 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll 2008-01-20 01:11 47,360 ----a-w C:\Documents and Settings\Nate\Application Data\pcouffin.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 09:15 50528] "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-19 00:35 160592] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360] "actchk"="C:\WINDOWS\system32\efsxmlgj.exe" [2008-08-19 19:03 77824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-16 18:45 142104] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-16 18:45 138008] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 10:35 221184] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 08:24 16384] "NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 18:45 389120] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-25 18:37 1235736] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040] "ShUtil"="C:\WINDOWS\Common\hwdstkle.exe" [2008-08-14 23:06 49152] "'Ashampoo AntiSpyWare 2 Guard'"="C:\Program Files\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [2008-03-13 14:36 2316632] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-25 10:41 185896] "PMX Daemon"="ICO.EXE" [2006-11-08 14:01 49152 C:\WINDOWS\system32\ico.exe] "RTHDCPL"="RTHDCPL.EXE" [2008-02-19 15:34 16858112 C:\WINDOWS\RTHDCPL.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "eTVD0NRi7Q"="C:\Documents and Settings\All Users\Application Data\nadujqze\pkhijixe.exe" [2008-08-14 23:06 53248] C:\Documents and Settings\Nate\Start Menu\Programs\Startup\ iTunes (2).lnk - C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe [2008-05-12 20:48:19 102400] Mozilla Firefox (2).lnk - C:\Program Files\Mozilla Firefox\firefox.exe [2008-01-11 18:53:32 7667312] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "monadm"= {2F42C8E6-BCB4-35A8-4572-0B8389125D82} - C:\Program Files\zuwxokd\monadm.dll [2008-08-22 16:08 118784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.CDVC"= cdvccodc.dll "vidc.CDVH"= cdvhcodc.dll "vidc.CUVC"= cuvccodc.dll "vidc.CLLC"= cllccodc.dll "vidc.CDV5"= cdv5codc.dll "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\DAP\\DAP.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\VLC Player\\vlc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "38597:TCP"= 38597:TCP:utorrent R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-13 10:37] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-25 18:37] R2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;C:\Program Files\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2008-03-13 14:36] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-25 18:37] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-13 10:37] R3 viafilter;VIA USB Filter;C:\WINDOWS\system32\Drivers\viausb1.sys [2001-09-19 13:28] S3 pmxmouse;PMXMOUSE;C:\WINDOWS\system32\DRIVERS\pmxmouse.sys [2007-06-01 14:41] S3 pmxusblf;PMXUSBLF;C:\WINDOWS\system32\DRIVERS\pmxusblf.sys [2007-05-24 17:56] S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [] *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-08-17 C:\WINDOWS\Tasks\20080112_090600_Nate.job - C:\Program Files\Nero\Nero8\Nero BackItUp\BackItUp.exe [] 2008-08-04 C:\WINDOWS\Tasks\20080112_091100_Nate2.job - C:\Program Files\Nero\Nero8\Nero BackItUp\BackItUp.exe [] 2008-08-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2008-08-24 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-17 22:37] 2008-08-23 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-17 22:37] . - - - - ORPHANS REMOVED - - - - HKLM-Run-RegistryMechanic - (no file) HKLM-Run-NWEReboot - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Nate\Application Data\Mozilla\Firefox\Profiles\c92cxqpp.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hotmail.com . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-23 19:23:44 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-23 19:25:51 ComboFix-quarantined-files.txt 2008-08-24 02:25:44 Pre-Run: 179,231,014,912 bytes free Post-Run: 179,205,140,480 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 224 --- E O F --- 2008-08-21 10:00:53