ComboFix 08-12-06.06 - Alex Davidson 2008-12-07 16:28:35.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.139 [GMT -6:00]
Running from: c:\documents and settings\Alex Davidson\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alex Davidson\Application Data\WeatherDPA
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Start Menu\Programs\Zango
c:\documents and settings\All Users\Start Menu\Programs\Zango\Reset Cursor.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Weather.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Customer Support Center.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Games!.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Library.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Screensavers!.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Uninstall Instructions.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Videos!.lnk
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\system32\mcrh.tmp

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WZMSV


(((((((((((((((((((((((((   Files Created from 2008-11-07 to 2008-12-07  )))))))))))))))))))))))))))))))
.

2008-12-07 16:06 . 2008-12-07 16:06	<DIR>	d--------	C:\_OTScanIt
2008-12-06 22:02 . 2008-12-06 22:02	<DIR>	d--------	c:\program files\Trend Micro
2008-12-04 16:20 . 2008-12-04 18:08	<DIR>	d--------	c:\windows\SxsCaPendDel
2008-12-04 15:26 . 2008-12-04 16:01	<DIR>	d--------	c:\documents and settings\All Users\Application Data\SITEguard
2008-12-04 15:24 . 2008-12-04 15:24	<DIR>	d--------	c:\program files\Common Files\iS3
2008-12-04 15:24 . 2008-12-04 16:19	<DIR>	d--------	c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-03 20:13 . 2008-12-07 16:13	54,156	--ah-----	c:\windows\QTFont.qfn
2008-12-03 20:13 . 2008-12-03 20:13	1,409	--a------	c:\windows\QTFont.for
2008-12-03 17:30 . 2008-12-07 16:28	<DIR>	d--------	C:\Temp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 20:12	---------	d-----w	c:\documents and settings\Alex Davidson\Application Data\AdobeUM
2008-12-07 03:37	---------	d-----w	c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 15:30	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-12-04 03:41	---------	d-----w	c:\program files\Yahoo!
2008-12-03 23:37	---------	d--h--w	c:\documents and settings\Alex Davidson\Application Data\Move Networks
2008-11-08 01:37	---------	d-----w	c:\program files\McAfee
2008-10-24 11:10	453,632	----a-w	c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 17:08	---------	d-----w	c:\documents and settings\Alex Davidson\Application Data\Yahoo!
2008-10-15 15:33	---------	d-----w	c:\documents and settings\All Users\Application Data\SiteAdvisor
2007-09-14 18:09	88	--sh--r	c:\windows\system32\18AE97BB57.sys
2007-09-14 18:09	3,766	--sha-w	c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-03 169984]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-03-23 185896]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-04-07 1528880]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-08-03 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-02 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-07 24652]
S1 mfeavfkk;mfeavfkk;c:\windows\system32\drivers\mfeavfkk.sys []
S1 tsbvcapp;tsbvcapp;c:\windows\system32\drivers\tsbvcapp.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 12:15]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2007-02-10 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{69660578-d565-4511-968d-a4fff26d3e14} - c:\windows\system32\mbfdax.dll
BHO-{D2E1BB7B-5888-5892-9AEE-D3C75C32C347} - c:\windows\system32\xeuoyxxcknidfg.dll
BHO-{F3CBE665-8CA8-4324-A15A-C4F844F0E235} - c:\windows\system32\khfdbBTK.dll
Toolbar-SITEguard - (no file)
HKLM-Run-88b257cf - c:\windows\system32\hpgbqkjf.dll
MSConfigStartUp-2F1EBECA - c:\windows\system32\rsbmsc.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 16:35:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\gearsec.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MPS\mps.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\McAfee\MPS\mpsevh.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-12-07 16:41:55 - machine was rebooted
ComboFix-quarantined-files.txt  2008-12-07 22:41:41

Pre-Run: 15,506,591,744 bytes free
Post-Run: 15,456,301,056 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

189	--- E O F ---	2008-11-13 16:34:10