ComboFix 08-12-06.06 - Owner 2008-12-08 1:19:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.471 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\_002936_.tmp.dll
c:\windows\system32\_002937_.tmp.dll
c:\windows\system32\_002938_.tmp.dll
c:\windows\system32\_002939_.tmp.dll
c:\windows\system32\_002946_.tmp.dll
c:\windows\system32\_002947_.tmp.dll
c:\windows\system32\_002948_.tmp.dll
c:\windows\system32\_002949_.tmp.dll
c:\windows\system32\_002951_.tmp.dll
c:\windows\system32\_002952_.tmp.dll
c:\windows\system32\_002955_.tmp.dll
c:\windows\system32\_002956_.tmp.dll
c:\windows\system32\_002958_.tmp.dll
c:\windows\system32\_002959_.tmp.dll
c:\windows\system32\_002960_.tmp.dll
c:\windows\system32\_002962_.tmp.dll
c:\windows\system32\_002965_.tmp.dll
c:\windows\system32\_002966_.tmp.dll
c:\windows\system32\_002970_.tmp.dll
c:\windows\system32\_002971_.tmp.dll
c:\windows\system32\_002973_.tmp.dll
c:\windows\system32\_002976_.tmp.dll
c:\windows\system32\_002978_.tmp.dll
c:\windows\system32\_002979_.tmp.dll
c:\windows\system32\_002980_.tmp.dll
c:\windows\system32\_002981_.tmp.dll
c:\windows\system32\_002982_.tmp.dll
c:\windows\system32\_002985_.tmp.dll
c:\windows\system32\_002986_.tmp.dll
c:\windows\system32\_002987_.tmp.dll
c:\windows\system32\_002988_.tmp.dll
c:\windows\system32\_002989_.tmp.dll
c:\windows\system32\_002994_.tmp.dll
c:\windows\system32\_002996_.tmp.dll
c:\windows\system32\_002997_.tmp.dll
c:\windows\system32\h@tkeysh@@k.dll
c:\windows\system32\ntnet.drv
c:\windows\system32\sysaudio.sys
.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.
2008-12-08 01:08 . 2008-12-08 01:08
d-------- c:\program files\Trend Micro
2008-12-07 20:42 . 2008-12-07 21:39 d-------- c:\program files\Spybot - Search & Destroy
2008-12-06 22:33 . 2008-12-06 22:33 d-------- C:\Binaries
2008-12-06 00:37 . 2008-12-06 00:37 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 00:37 . 2008-12-06 00:37 1,409 --a------ c:\windows\QTFont.for
2008-11-12 00:15 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 00:15 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 09:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 06:35 139,152 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-08 06:35 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-08 05:34 --------- d-----w c:\program files\Incomplete
2008-12-08 05:33 --------- d-----w c:\program files\Sony
2008-12-08 03:26 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-07 06:32 164 ----a-w C:\install.dat
2008-11-14 01:11 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-11-13 08:49 3,592 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-11-13 00:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-13 00:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-13 00:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-10-29 00:05 --------- d-----w c:\documents and settings\Owner\Application Data\Sony
2008-10-29 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-10-28 21:51 --------- d-----w c:\program files\DVDVideoSoft
2008-10-28 21:44 --------- d-----w c:\documents and settings\All Users\Application Data\3431C
2008-10-28 21:27 --------- d-----w c:\documents and settings\All Users\Application Data\F157
2008-10-28 21:11 --------- d-----w c:\program files\QuickTime
2008-10-28 21:10 --------- d-----w c:\program files\Apple Software Update
2008-10-28 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-28 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-25 09:17 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 07:31 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 01:11 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-09-25 01:11 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-13 20:30 729,088 ----a-w c:\windows\iun6002.exe
2008-09-13 04:51 2,396 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-12 23:59 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-12 00:27 262,144 ----a-w c:\program files\Uninstall Ask Toolbar.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2005-09-21 86016]
"AlcWzrd"="c:\windows\ALCWZRD.EXE" [2005-09-21 2807808]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-11-13 6273400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"= sysaudio.sys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 19:16 286720 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3723:TCP"= 3723:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"26381:TCP"= 26381:TCP:BitComet 26381 TCP
"26381:UDP"= 26381:UDP:BitComet 26381 UDP
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe" [2008-10-15 1086840]
.
Contents of the 'Scheduled Tasks' folder
2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
2004-12-02 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 16:12]
2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gk9vjsnl.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com/
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 01:23:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3876)
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\wwSecure.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-12-08 1:26:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 09:25:51
Pre-Run: 141,984,608,256 bytes free
Post-Run: 141,909,032,960 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
233 --- E O F --- 2008-11-12 11:16:50