ComboFix 08-08-23.03 - Soleil Robichaud 2008-08-26 19:30:28.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.117 [GMT -4:00] Running from: C:\Documents and Settings\Soleil Robichaud\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Soleil Robichaud\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\Fonts\wmsncs.exe C:\WINDOWS\Help\internat.exe C:\WINDOWS\Help\ipconfig.sys C:\WINDOWS\Help\svchost.exe C:\WINDOWS\Help\svchost32.exe C:\WINDOWS\system32\a.exe C:\WINDOWS\system32\drivers\hljc.sys C:\WINDOWS\system32\g.bat C:\WINDOWS\system32\spool\drivers\wmsncs.exe C:\WINDOWS\system32\wins\wmsncs.exe C:\WINDOWS\system32\wmsoft35025.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\FUYZS8F5\interclick.com C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\FUYZS8F5\interclick.com\ud.sol C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Log\2008 Aug 25 - 04_30_20 PM_022.log C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Log\2008 Aug 25 - 07_57_33 PM_961.log C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Log\2008 Aug 25 - 07_57_34 PM_883.log C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Log\2008 Aug 25 - 08_08_29 PM_536.log C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Log\2008 Aug 26 - 06_55_26 AM_560.log C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Log\2008 Aug 26 - 07_01_36 AM_553.log C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Settings\CustomScan.stg C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Settings\IgnoreList.stg C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Settings\ScanInfo.stg C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Settings\SelectedFolders.stg C:\Documents and Settings\Soleil Robichaud\Application Data\PrivacyControl\Settings\Settings.stg C:\Documents and Settings\Soleil Robichaud\Cookies\soleil robichaud@ad.yieldmanager[2].txt C:\WINDOWS\Fonts\wmsncs.exe C:\WINDOWS\system32\spool\drivers\wmsncs.exe C:\WINDOWS\system32\wins\wmsncs.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NET_RUNTIME_OPTIMIZATION_SERVICE_V2.1.41329_X86 -------\Service_NET Runtime Optimization Service v2.1.41329_X86 ((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 ))))))))))))))))))))))))))))))) . 2008-08-26 18:40 . 2008-08-26 18:40 d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\Yahoo! 2008-08-26 16:56 . 2008-08-26 16:56 d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\Yahoo! 2008-08-26 16:56 . 2008-08-26 16:56 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-08-26 16:55 . 2008-08-26 16:55 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-08-26 16:48 . 2008-08-26 16:53 d-------- C:\Program Files\Yahoo! 2008-08-26 09:16 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll 2008-08-26 09:16 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll 2008-08-26 09:16 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl 2008-08-26 09:16 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll 2008-08-26 09:16 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll 2008-08-26 09:16 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe 2008-08-26 09:16 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll 2008-08-25 14:33 . 2008-08-25 14:34 d-------- C:\Documents and Settings\Ron Robichaud\Application Data\PrivacyControl 2008-08-24 22:57 . 2008-08-26 17:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-24 22:57 . 2008-08-24 22:57 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-24 19:54 . 2008-08-24 19:54 d-------- C:\WINDOWS\ERUNT 2008-08-24 19:48 . 2008-08-24 20:05 d-------- C:\SDFix 2008-08-24 18:02 . 2008-08-26 17:29 d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\AdwareAlert 2008-08-24 12:30 . 2008-08-24 12:30 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-08-23 19:25 . 2008-08-26 13:15 d-------- C:\Program Files\AdwareAlert 2008-08-23 19:01 . 2008-08-23 19:01 d-------- C:\Program Files\Trend Micro 2008-08-23 18:52 . 2008-08-23 19:28 d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\AdwareAlert 2008-08-23 18:52 . 2008-08-25 13:09 d-------- C:\Documents and Settings\Ron Robichaud\Application Data\AdwareAlert 2008-08-23 18:49 . 2008-08-23 18:52 d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\AdwareAlert(2) 2008-08-23 18:20 . 2008-08-23 18:52 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-23 18:20 . 2008-08-23 18:20 d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\Malwarebytes 2008-08-23 18:20 . 2008-08-23 18:20 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-23 18:19 . 2008-08-23 18:19 d-------- C:\Program Files\Common Files\Download Manager 2008-08-23 18:13 . 2008-08-23 18:59 d-------- C:\Program Files\ERUNT 2008-08-14 22:37 . 2008-08-14 22:37 d-------- C:\Program Files\EPSON 2008-08-14 22:37 . 2004-06-24 01:20 309,760 --a------ C:\WINDOWS\system32\EAL32.DLL 2008-08-14 22:37 . 2004-03-12 01:30 82,944 --a------ C:\WINDOWS\system32\EAL.EXE 2008-08-14 22:37 . 2004-11-25 05:07 79,679 --a------ C:\WINDOWS\system32\E_FLMABA.DLL 2008-08-14 22:37 . 2003-05-21 02:27 64,000 --a------ C:\WINDOWS\system32\E_FBCBABA.DLL 2008-08-14 22:37 . 2000-06-07 01:01 34,304 --a------ C:\WINDOWS\system32\E_FBCHABA.DLL 2008-08-14 22:37 . 2004-06-24 01:20 51 --a------ C:\WINDOWS\system32\EAL32.INI 2008-08-11 00:33 . 2008-08-11 00:33 d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\acccore 2008-08-11 00:31 . 2008-08-11 00:31 d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads 2008-08-11 00:30 . 2008-08-11 00:30 21 --a------ C:\WINDOWS\atid.ini 2008-08-11 00:29 . 2008-08-11 00:34 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-08-11 00:29 . 2008-08-11 00:29 d-------- C:\Documents and Settings\All Users\Application Data\AOL 2008-08-11 00:29 . 2008-08-11 00:29 d-------- C:\Documents and Settings\All Users\Application Data\acccore 2008-08-11 00:27 . 2008-08-11 00:33 d-------- C:\Program Files\AIM6 2008-08-08 22:46 . 2008-08-08 22:46 53 --a------ C:\WINDOWS\system32\g.ftp 2008-08-07 17:31 . 2008-08-07 17:31 159,744 --a------ C:\WINDOWS\system32\Bsmtp.dll 2008-08-07 17:31 . 2008-08-07 17:31 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX 2008-08-07 15:46 . 2008-08-07 15:46 d---s---- C:\Documents and Settings\Ron Robichaud\UserData 2008-08-01 23:09 . 2008-08-01 23:09 d-------- C:\WINDOWS\A8B9466986544126BD28D0D2412CDED6.TMP 2008-08-01 13:01 . 2008-08-15 12:21 d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\OnRez 2008-08-01 12:07 . 2008-08-01 12:07 d---s---- C:\Documents and Settings\Trevor Robichaud\UserData 2008-07-31 22:03 . 2008-08-15 01:49 d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\SecondLife 2008-07-31 21:53 . 2008-07-31 21:53 d---s---- C:\Documents and Settings\Soleil Robichaud\UserData 2008-07-31 21:40 . 2008-07-31 21:40 2,838 --a------ C:\WINDOWS\machine.ver 2008-07-31 14:02 . 2008-07-31 14:02 d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\MAGIX . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-11 04:28 --------- d-----w C:\Program Files\Common Files\AOL 2008-08-08 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP 2008-08-02 03:42 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-01 15:16 --------- d-----w C:\Program Files\MindSpring 4.0 . ------- Sigcheck ------- 2004-08-03 14:02 113944 4fe41a819f5a1ff0923f12b34830a6ca C:\WINDOWS\LastGood\System32\wuauclt.exe 2007-07-30 19:19 53080 f3e9065eb617a7e3a832a7976bfa021b C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 53080 f3e9065eb617a7e3a832a7976bfa021b C:\WINDOWS\system32\dllcache\wuauclt.exe . ((((((((((((((((((((((((((((( snapshot@2008-08-24_20.47.45.80 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE + 2004-08-03 18:00:12 71,448 ----a-w C:\WINDOWS\LastGood\System32\cdm.dll + 2004-08-03 18:00:10 420,632 ----a-w C:\WINDOWS\LastGood\System32\wuapi.dll + 2004-08-03 18:07:38 1,081,112 ----a-w C:\WINDOWS\LastGood\System32\wuaueng.dll + 2004-08-03 18:02:52 118,552 ----a-w C:\WINDOWS\LastGood\System32\wucltui.dll + 2004-08-03 17:59:14 39,704 ----a-w C:\WINDOWS\LastGood\System32\wups.dll + 2004-08-03 17:59:18 120,288 ----a-w C:\WINDOWS\LastGood\System32\wuweb.dll - 2002-08-29 12:00:00 14,848 ----a-w C:\WINDOWS\system32\cdm.dll + 2007-07-30 23:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll - 2008-08-23 18:57:18 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-08-26 12:28:00 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-08-23 18:57:18 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-08-26 12:28:00 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-08-23 18:57:18 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-08-26 12:28:00 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2007-07-30 23:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll - 2002-08-29 12:00:00 166,912 -c--a-w C:\WINDOWS\system32\dllcache\iuengine.dll + 2004-08-03 18:04:40 185,624 -c--a-w C:\WINDOWS\system32\dllcache\iuengine.dll + 2007-07-30 23:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll - 2002-08-29 12:00:00 166,912 -c--a-w C:\WINDOWS\system32\iuengine.dll + 2004-08-03 18:04:40 185,624 ----a-w C:\WINDOWS\system32\iuengine.dll + 2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll - 2002-08-29 12:00:00 189,440 ----a-w C:\WINDOWS\system32\wuaueng.dll + 2007-07-30 23:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll + 2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 11:21 50472] "AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-08-22 15:20 9093120] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-04-15 23:01 258048] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 03:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 03:07 114688] "PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 22:54 40960] "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 20:16 172032] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 17:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976] "NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 23:26 458752] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 16:21 159744] "AccessRampMonitor"="C:\Program Files\AccessRamp\ARMon32.exe" [1999-08-03 13:13 68096] "QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2006-08-20 22:28 28672] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 02:12 49152] "NvidMediaCenter"="C:\Program Files\Common Files\System\wmsncs.exe" [2008-08-07 15:17 126823] "EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 04:00 98304] "Background Intelligent Transfer Service"="C:\WINDOWS\help\svchost.exe" [BU] "Wmsncs Service"="C:\WINDOWS\Fonts\wmsncs.exe" [BU] "Spool Driver Service"="C:\WINDOWS\System32\spool\drivers\wmsncs.exe" [2008-08-07 15:17 126823] "000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe] "AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe] "TFNF5"="TFNF5.exe" [2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe] "Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "NvidMediaCenter"="C:\Program Files\Common Files\System\wmsncs.exe" [2008-08-07 15:17 126823] "Wmsncs Service"="C:\WINDOWS\Fonts\wmsncs.exe" [BU] "Spool Driver Service"="C:\WINDOWS\System32\spool\drivers\wmsncs.exe" [2008-08-07 15:17 126823] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 18:23:00 65588] wmsncs.exe [2008-08-07 15:17:21 126823] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "AllowLegacyWebView"= 1 (0x1) "AllowUnhashedWebView"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="explorer.exe \"C:\\WINDOWS\\Fonts\\wmsncs.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "wmsncs.exe"= wmsncs.exe:SYSTEM R2 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;C:\WINDOWS\Fonts\wmsncs.exe [] S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\System32\DRIVERS\cben5.sys [2001-08-17 08:13] S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\System32\DRIVERS\wlags48b.sys [2002-06-28 19:29] *Newly Created Service* - NET_RUNTIME_OPTIMIZATION_SERVICE_V2.1.41329_X86 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}] C:\WINDOWS\Fonts\wmsncs.exe . Contents of the 'Scheduled Tasks' folder 2008-08-26 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job - C:\Program Files\AdwareAlert\AdwareAlert.exe [2008-08-22 15:20] 2008-08-26 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job - C:\Program Files\AdwareAlert [2008-08-26 13:15] 2003-10-11 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 12:04] . - - - - ORPHANS REMOVED - - - - HKCU-Run-PrivacyControl - C:\Program Files\PrivacyControl\PrivacyControl.exe HKLM-Run-Wins Service - C:\WINDOWS\System32\wins\wmsncs.exe HKU-Default-Run-Wins Service - C:\WINDOWS\System32\wins\wmsncs.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 19:35:17 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... C:\WINDOWS\Fonts\wmsncs.exe [1116] 0xFF71DDA8 scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\drivers\CDANTSRV.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\Apoint2K\ApntEx.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe . ************************************************************************** . Completion time: 2008-08-26 19:40:17 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-26 23:40:09 ComboFix2.txt 2008-08-26 00:14:38 ComboFix3.txt 2008-08-25 00:48:59 Pre-Run: 1,877,008,384 bytes free Post-Run: 2,001,309,696 bytes free 247