ComboFix 08-12-06.06 - Owner 2008-12-08 1:19:13.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.471 [GMT -8:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\_002936_.tmp.dll c:\windows\system32\_002937_.tmp.dll c:\windows\system32\_002938_.tmp.dll c:\windows\system32\_002939_.tmp.dll c:\windows\system32\_002946_.tmp.dll c:\windows\system32\_002947_.tmp.dll c:\windows\system32\_002948_.tmp.dll c:\windows\system32\_002949_.tmp.dll c:\windows\system32\_002951_.tmp.dll c:\windows\system32\_002952_.tmp.dll c:\windows\system32\_002955_.tmp.dll c:\windows\system32\_002956_.tmp.dll c:\windows\system32\_002958_.tmp.dll c:\windows\system32\_002959_.tmp.dll c:\windows\system32\_002960_.tmp.dll c:\windows\system32\_002962_.tmp.dll c:\windows\system32\_002965_.tmp.dll c:\windows\system32\_002966_.tmp.dll c:\windows\system32\_002970_.tmp.dll c:\windows\system32\_002971_.tmp.dll c:\windows\system32\_002973_.tmp.dll c:\windows\system32\_002976_.tmp.dll c:\windows\system32\_002978_.tmp.dll c:\windows\system32\_002979_.tmp.dll c:\windows\system32\_002980_.tmp.dll c:\windows\system32\_002981_.tmp.dll c:\windows\system32\_002982_.tmp.dll c:\windows\system32\_002985_.tmp.dll c:\windows\system32\_002986_.tmp.dll c:\windows\system32\_002987_.tmp.dll c:\windows\system32\_002988_.tmp.dll c:\windows\system32\_002989_.tmp.dll c:\windows\system32\_002994_.tmp.dll c:\windows\system32\_002996_.tmp.dll c:\windows\system32\_002997_.tmp.dll c:\windows\system32\h@tkeysh@@k.dll c:\windows\system32\ntnet.drv c:\windows\system32\sysaudio.sys . ((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 ))))))))))))))))))))))))))))))) . 2008-12-08 01:08 . 2008-12-08 01:08 d-------- c:\program files\Trend Micro 2008-12-07 20:42 . 2008-12-07 21:39 d-------- c:\program files\Spybot - Search & Destroy 2008-12-06 22:33 . 2008-12-06 22:33 d-------- C:\Binaries 2008-12-06 00:37 . 2008-12-06 00:37 54,156 --ah----- c:\windows\QTFont.qfn 2008-12-06 00:37 . 2008-12-06 00:37 1,409 --a------ c:\windows\QTFont.for 2008-11-12 00:15 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 00:15 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-08 09:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-08 06:35 139,152 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-12-08 06:35 111,928 ----a-w c:\windows\system32\PnkBstrB.exe 2008-12-08 05:34 --------- d-----w c:\program files\Incomplete 2008-12-08 05:33 --------- d-----w c:\program files\Sony 2008-12-08 03:26 --------- d-----w c:\program files\Common Files\DVDVideoSoft 2008-12-07 06:32 164 ----a-w C:\install.dat 2008-11-14 01:11 1,553,272 ----a-w c:\windows\WRSetup.dll 2008-11-13 08:49 3,592 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat 2008-11-13 00:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys 2008-11-13 00:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys 2008-11-13 00:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys 2008-10-29 00:05 --------- d-----w c:\documents and settings\Owner\Application Data\Sony 2008-10-29 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\Sony 2008-10-28 21:51 --------- d-----w c:\program files\DVDVideoSoft 2008-10-28 21:44 --------- d-----w c:\documents and settings\All Users\Application Data\3431C 2008-10-28 21:27 --------- d-----w c:\documents and settings\All Users\Application Data\F157 2008-10-28 21:11 --------- d-----w c:\program files\QuickTime 2008-10-28 21:10 --------- d-----w c:\program files\Apple Software Update 2008-10-28 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2008-10-28 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple 2008-10-25 09:17 66,872 ----a-w c:\windows\system32\PnkBstrA.exe 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 07:31 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot 2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-25 01:11 682,280 ----a-w c:\windows\system32\pbsvc.exe 2008-09-25 01:11 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-13 20:30 729,088 ----a-w c:\windows\iun6002.exe 2008-09-13 04:51 2,396 ----a-w c:\windows\system32\ealregsnapshot1.reg 2008-09-12 23:59 107,888 ----a-w c:\windows\system32\CmdLineExt.dll 2008-09-12 00:27 262,144 ----a-w c:\program files\Uninstall Ask Toolbar.dll 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2008-11-13 17:04 238968 --a------ c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="c:\windows\SOUNDMAN.EXE" [2005-09-21 86016] "AlcWzrd"="c:\windows\ALCWZRD.EXE" [2005-09-21 2807808] "DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-11-13 6273400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux3"= sysaudio.sys [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-10-19 19:16 286720 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3723:TCP"= 3723:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader "26381:TCP"= 26381:TCP:BitComet 26381 TCP "26381:UDP"= 26381:UDP:BitComet 26381 UDP R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 29808] R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe" [2008-10-15 1086840] . Contents of the 'Scheduled Tasks' folder 2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57] 2004-12-02 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 16:12] 2008-11-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] 2008-12-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32] . - - - - ORPHANS REMOVED - - - - WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file) . ------- Supplementary Scan ------- . mWindow Title = Windows Internet Explorer provided by Comcast FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gk9vjsnl.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com/ FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-08 01:23:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(728) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3876) c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\system32\PnkBstrA.exe c:\program files\Webroot\Spy Sweeper\SpySweeper.exe c:\windows\system32\wwSecure.exe c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe . ************************************************************************** . Completion time: 2008-12-08 1:26:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-08 09:25:51 Pre-Run: 141,984,608,256 bytes free Post-Run: 141,909,032,960 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 233 --- E O F --- 2008-11-12 11:16:50