ComboFix 08-12-28.03 - Bob Mease 2008-12-30 0:08:49.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1565 [GMT -6:00] Running from: c:\documents and settings\Bob Mease\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\TDSSweat.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 ))))))))))))))))))))))))))))))) . 2008-12-29 23:00 . 2008-12-29 23:00 d-------- c:\program files\Billybob Catchware 2008-12-29 23:00 . 2008-12-03 19:59 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-12-29 23:00 . 2008-12-03 19:59 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2008-12-13 18:36 . 2008-12-13 18:36 d-------- c:\program files\BillP Studios 2008-12-13 18:36 . 2008-12-13 18:36 d-------- c:\documents and settings\Bob Mease\Application Data\WinPatrol 2008-12-13 18:25 . 2008-12-13 18:25 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2008-12-13 15:40 . 2008-12-13 15:40 8,576 --a------ c:\windows\SYSTEM32\DRIVERS\nxqtlqpovucs.sys 2008-12-13 15:15 . 2008-12-13 15:16 d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-13 15:14 . 2008-12-13 15:14 d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-11 13:56 . 2008-12-29 23:20 d--h----- C:\$AVG8.VAULT$ 2008-12-10 22:53 . 2008-12-10 22:53 d-------- C:\RootkitRevealer 2008-12-10 21:40 . 2008-11-17 13:05 12,576 --a------ c:\windows\SYSTEM32\DRIVERS\TfKbMon.sys 2008-12-10 21:19 . 2008-12-29 22:36 d-------- c:\windows\SYSTEM32\DRIVERS\Avg 2008-12-10 21:19 . 2008-12-10 21:19 d-------- c:\documents and settings\Bob Mease\Application Data\AVGTOOLBAR 2008-12-10 21:19 . 2008-12-10 21:19 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys 2008-12-10 21:19 . 2008-12-10 21:19 76,040 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys 2008-12-10 21:19 . 2008-12-10 21:19 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll 2008-11-08 14:35 . 2008-11-08 14:35 d-------- c:\program files\TomTom HOME 2 2008-11-08 14:35 . 2008-11-08 14:35 d-------- c:\documents and settings\Bob Mease\Application Data\TomTom 2008-11-08 14:35 . 2008-11-08 14:35 d-------- c:\documents and settings\All Users\Application Data\TomTom 2008-11-05 20:18 . 2008-11-05 20:18 d-------- c:\documents and settings\Administrator.D19X0931.000\Application Data\Malwarebytes 2008-11-03 22:29 . 2008-11-03 22:29 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-03 19:41 . 2008-11-03 19:41 d-------- c:\documents and settings\Bob Mease\Application Data\Malwarebytes 2008-11-03 19:41 . 2008-11-03 19:41 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-01 07:34 . 2008-11-01 07:34 d-------- c:\program files\AVG 2008-11-01 07:34 . 2008-12-13 15:10 d-------- c:\documents and settings\All Users\Application Data\avg8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-25 18:32 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser 2008-12-14 00:26 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-12-14 00:26 --------- d-----w c:\documents and settings\Bob Mease\Application Data\Symantec 2008-12-14 00:26 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-12-13 22:44 --------- d-----w c:\documents and settings\Bob Mease\Application Data\ZoomBrowser EX 2008-12-13 21:15 --------- d-----w c:\program files\Lavasoft 2008-12-11 03:41 --------- d-----w c:\program files\ThreatFire 2008-11-08 21:13 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-06 03:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-11-06 02:16 --------- d-----w c:\program files\Trojan Remover 2008-11-03 03:06 --------- d-----w c:\program files\Logitech 2008-11-01 04:13 --------- d-----w c:\program files\SpywareBlaster 2008-11-01 03:14 --------- d-----w c:\program files\Trend Micro 2008-10-31 11:43 --------- d-----w c:\documents and settings\Administrator.D19X0931.000\Application Data\Simply Super Software 2006-09-13 05:00 52,736 ----a-w c:\documents and settings\Bob Mease\cnmss Canon MP960 Printer (Local).dll 2005-09-29 03:28 68,600 ----a-w c:\documents and settings\Bob Mease\Application Data\GDIPFONTCACHEV1.DAT 2003-08-20 23:27 559,637 ----a-w c:\program files\msxml3.cab 2003-08-07 19:48 876,544 ----a-w c:\program files\wdstddll_wim32.msm 2003-08-07 19:48 765,440 ----a-w c:\program files\msxml3_wim32.msm 2003-08-07 19:48 26,112 ----a-w c:\program files\msxml3inf_wim32.msm 2003-04-12 12:53 505 ----a-w c:\program files\TurboTax Deluxe 2002.lnk . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608] "SmileboxTray"="c:\documents and settings\Bob Mease\Application Data\Smilebox\SmileboxTray.exe" [2008-01-28 201352] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-13 1261336] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696] c:\documents and settings\Bob Mease\Start Menu\Programs\Startup\ Canon IJ Status Monitor Canon MP960 Printer.lnk - c:\windows\SYSTEM32\rundll32.exe [2002-08-29 33280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-09-01 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-08-14 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-10-08 49220] NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2005-08-28 233472] QuickTV.lnk - c:\program files\AVerTV2K\QuickTV.exe [2004-06-29 163840] SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2005-06-11 217088] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-10 97928] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-10 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-10 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-10 76040] R2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2003-08-28 261696] R2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\system32\drivers\BTTUNER.sys [2003-08-28 22016] R2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;c:\windows\system32\drivers\BTXBAR.sys [2003-08-28 13312] S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [] S3 GEFP;GEFP;c:\docume~1\BOBMEA~1\LOCALS~1\Temp\GEFP.exe [] S3 JYJN;JYJN;c:\docume~1\BOBMEA~1\LOCALS~1\Temp\JYJN.exe [] S3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\DRIVERS\MosIrUsb.sys [2004-04-14 20736] S3 RIOXDRV;SONICblue Rio generic driver XP+;c:\windows\system32\Drivers\RIOXDRV.sys [2004-03-01 18304] S3 VXU;VXU;c:\docume~1\ADMINI~1.000\LOCALS~1\Temp\VXU.exe [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36755102-d4a9-11db-acb9-0007e9632762}] \Shell\AutoRun\command - F:\ONSPCLCK.exe . Contents of the 'Scheduled Tasks' folder 2008-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57] 2008-12-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Bob Mease.job - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd c:\windows\Downloaded Program Files\TLIEFlashCtrlU.dll - O16 -: {94B82441-A413-4E43-8422-D49930E69764} hxxps://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-30 00:11:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\SYSTEM32\nvsvc32.exe c:\windows\SYSTEM32\RioMSC.exe c:\program files\SBC Self Support Tool\bin\mpbtn.exe c:\program files\AVG\AVG8\avgrsx.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\iPod\bin\iPodService.exe c:\windows\SYSTEM32\wscntfy.exe . ************************************************************************** . Completion time: 2008-12-30 0:17:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-30 06:16:18 Pre-Run: 11,038,756,864 bytes free Post-Run: 11,161,616,384 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 181 --- E O F --- 2008-12-29 09:00:29