ComboFix 09-01-01.02 - t_brown 2009-01-02 18:16:46.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.456 [GMT 0:00] Running from: c:\documents and settings\t_brown\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) [COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR] . ((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 ))))))))))))))))))))))))))))))) . 2009-01-02 17:39 . 2009-01-02 17:39 577,024 --a------ c:\windows\system32\dllcache\user32.dll 2009-01-02 17:38 . 2009-01-02 17:38 d-------- c:\windows\ERUNT 2009-01-02 17:37 . 2009-01-02 17:58 d-------- C:\SDFix 2009-01-02 17:18 . 2009-01-02 17:18 d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-02 17:18 . 2009-01-02 17:18 d-------- c:\documents and settings\t_brown\Application Data\Malwarebytes 2009-01-02 17:18 . 2009-01-02 17:18 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-02 17:18 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-02 17:18 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-01 15:22 . 2009-01-01 15:22 d--h----- c:\windows\PIF 2009-01-01 14:34 . 2009-01-02 09:58 d--h----- C:\$AVG8.VAULT$ 2008-12-23 09:14 . 2008-12-22 15:20 316,699 --a------ C:\AOE12.zip 2008-12-11 16:10 . 2008-12-11 16:11 d-------- c:\program files\MetManager 2.0 2008-12-11 15:21 . 2008-12-11 15:21 0 --a------ C:\42.tmp 2008-12-09 08:36 . 2008-12-09 08:36 410,976 --a------ c:\windows\system32\deploytk.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-02 18:19 --------- d-----w c:\documents and settings\t_brown\Application Data\Skype 2009-01-02 16:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-02 16:18 --------- d-----w c:\program files\Google 2009-01-02 14:48 --------- d-----w c:\program files\FTP Commander 2009-01-02 14:37 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995 2009-01-02 14:32 --------- d-----w c:\program files\SelectClient 2009-01-02 13:35 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-01-02 13:27 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-02 13:27 --------- d-----w c:\program files\AmosConnect 2008-12-28 11:55 --------- d-----w c:\program files\ZipCentral 2008-12-22 13:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 15:13 --------- d-----w c:\program files\EmailClient 2008-12-09 08:35 --------- d-----w c:\program files\Java 2008-12-04 15:58 --------- d-----w c:\program files\oceanMaster 2008-12-04 15:58 --------- d-----w c:\program files\Monitor4000 2008-11-20 14:03 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard 2008-11-10 13:11 --------- d-----w c:\program files\FastStone Image Viewer 2008-11-10 13:11 --------- d-----w c:\documents and settings\t_brown\Application Data\FastStone 2008-11-10 13:09 --------- d-----w c:\program files\TrialSmartImageConverter 2008-11-09 12:00 --------- d-----w c:\program files\ChartCom 2008-11-06 07:59 --------- d-----w c:\program files\Microsoft Silverlight 2008-11-04 09:00 --------- d-----w c:\program files\Sophos 2008-11-04 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\Sophos 2008-11-04 08:57 --------- d-----w c:\program files\Microsoft SQL Server 2008-10-31 09:57 17,920 ----a-w c:\windows\system32\sophosboottasks.exe 2008-10-16 14:07 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-07 17:59 1,419,232 -c--a-w c:\windows\system32\wdfcoinstaller01005.dll 2008-02-02 10:27 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-02-02 10:27 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-02-02 10:27 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-02-02 10:27 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-02-02 10:27 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-07-01 07:40 56 -csha-w c:\windows\SMINST\hpboot.sys 2004-08-04 08:00 166,240 --sha-r c:\windows\system32\ieumfgro.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-05-30 21718824] "ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-30 413696] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600] "MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\t_brown\Start Menu\Programs\Startup\ Skype with Doro225.lnk - c:\program files\Skype with Doro225\SkypeWithDoro225.exe [2006-02-18 212992] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-06-21 245760] Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\[u]0[/u]lsdelete [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]] "Script"=\\CHARTCO.COM\sysvol\CHARTCO.COM\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logon\SCRIPT1.BAT [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-771201383-762221502-2611255016-1116\Scripts\Logon\[u]0[/u]\[u]0[/u]] "Script"=SCRIPT1.BAT [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-771201383-762221502-2611255016-1116\Scripts\Logon\1\[u]0[/u]] "Script"=SCRIPT1.BAT [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AXIS Camera Station Notification Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AXIS Camera Station Notification Icon.lnk backup=c:\windows\pss\AXIS Camera Station Notification Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk backup=c:\windows\pss\DVD Check.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a--c--- 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] --a------ 2008-11-27 10:33 1261336 c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog] --a------ 2005-11-08 11:59 184320 c:\program files\InterVideo\DVD Check\DVDCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "c:\\WINDOWS\\system32\\mstsc.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2951:TCP"= 2951:TCP:hxxdp R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-13 97928] R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2008-03-31 101120] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2008-03-31 33408] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-13 231704] R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [2008-10-31 69632] R2 SAVService;Sophos Anti-Virus;"c:\program files\Sophos\Sophos Anti-Virus\SavService.exe" [2008-10-31 98304] R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-10-16 87936] R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968] R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\DRIVERS\evsbc.sys [2008-09-25 27904] S2 MSSQL$SOPHOS;MSSQL$SOPHOS;c:\program files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe -sSOPHOS [] S2 qteirzvao;Windows Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336] S3 AxisCameraStation;AXIS Camera Station Service;"c:\program files\Axis Communications\AXIS Camera Station\AcsService.exe" [2008-03-18 11776] S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\DRIVERS\evserial.sys [2008-09-25 53888] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-10-07 13352] S3 SQLAgent$SOPHOS;SQLAgent$SOPHOS;c:\program files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlagent.EXE -i SOPHOS [] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs qteirzvao [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a3330dc-1695-11dd-af6b-0013028f3eb9}] \Shell\AutoRun\command - F:\MntDrCore.exe \Shell\Open\command - F:\MntDrCore.exe \Shell\Open With...\command - F:\MntDrCore.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9b7fda0-0ac1-11dd-af57-0016d40ced92}] \Shell\AutoRun\command - F:\MntDrCore.exe \Shell\Open\command - F:\MntDrCore.exe \Shell\Open With...\command - F:\MntDrCore.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0ec27f5-0176-11dd-af42-0016d40ced92}] \Shell\AutoRun\command - F:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbb11f6a-7429-11dd-b02b-0013028f3eb9}] \Shell\AutoRun\command - F:\StartVMCLite.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbb11f6b-7429-11dd-b02b-0013028f3eb9}] \Shell\AutoRun\command - F:\StartVMCLite.exe . Contents of the 'Scheduled Tasks' folder 2009-01-02 c:\windows\Tasks\User_Feed_Synchronization-{64FE181C-089D-419C-9659-F6AD6BA4B173}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 18:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 c:\windows\Downloaded Program Files\AtxEnc.dll - O16 -: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} hxxps://192.168.1.1:4343/officescan/console/html/AtxEnc.cab O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.1.60/activex/AMC.cab c:\windows\Downloaded Program Files\setup.inf FF - ProfilePath - . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-02 18:19:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????]??????(?@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\qteirzvao] "ServiceDll"="c:\windows\system32\ieumfgro.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(920) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-01-02 18:21:20 ComboFix-quarantined-files.txt 2009-01-02 18:20:51 Pre-Run: 15,748,407,296 bytes free Post-Run: 15,744,274,432 bytes free 205