ComboFix 09-01-08.01 - Nicole 2009-01-08 12:36:54.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.562 [GMT -8:00] Running from: c:\documents and settings\Nicole\Desktop\SECURITY\ComboFix.exe AV: avast! antivirus 4.8.1296 [VPS 090108-0] *On-access scanning disabled* (Updated) FW: ZoneAlarm Firewall *enabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\alexa toolbar c:\windows\Readme.txt c:\windows\regedit.com c:\windows\setup.exe c:\windows\system32\taskmgr.com G:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 ))))))))))))))))))))))))))))))) . 2009-01-08 10:44 . 2009-01-08 10:44 54,156 --ah----- c:\windows\QTFont.qfn 2009-01-08 10:44 . 2009-01-08 10:44 1,409 --a------ c:\windows\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-08 20:43 41,816,096 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-01-08 20:41 --------- d-----w c:\documents and settings\Nicole\Application Data\DNA 2009-01-07 19:39 490,592 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-01-07 19:36 --------- d-----w c:\program files\Photoshop 7.0 2008-12-26 15:47 15,821,837 ----a-w c:\windows\Internet Logs\tvDebug.zip 2008-12-23 18:25 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-23 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-10 17:13 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT 2008-11-02 17:22 3,218 ----a-w c:\windows\system32\PerfStringBackup.TMP 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-06-05 04:36 273,544 -c--a-w c:\documents and settings\Nicole\Application Data\GDIPFONTCACHEV1.DAT 2007-05-19 18:55 722,176 -c--a-w c:\documents and settings\Nicole\gotomypc_428.exe 2001-08-16 21:14 1,915,822 -c----w c:\program files\lsghost2k2.rar 2000-12-12 19:17 100,432 -c----w c:\program files\Win2000PPAHotfix.exe 2000-09-06 01:03 2,917,440 -c----w c:\program files\TPS4PE15.ZIP 1999-11-02 23:08 29,184 -c----w c:\program files\A List of Useful Office 2000 Shortcut Keys.xls . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-07-10 289088] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Washer"="c:\program files\Washer\washer.exe" [2002-12-12 816640] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-03 c:\windows\system32\narrator.exe] c:\documents and settings\Nicola\Programs\Startup\ SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-12-23 110592] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-09-22 169472] TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2005-01-10 77824] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-21 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-09-21 19:07 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "SENTINEL"= snti386.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-03-31 111184] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024] R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2002-01-17 2944] R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2002-01-17 60416] R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2002-01-17 11008] R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2002-01-17 10368] R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-03-31 20560] S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2003-01-10 9728] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096] S4 Dmfilhibpaur;Dmfilhibpaur; [x] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Shareaza - c:\program files\Shareaza\Shareaza.exe HKLM-Run-HydarVisionDesktopManager - (no file) HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe SSODL-CDBurn- - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.riktr.com/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.surfline.com/ uDefault_Page_URL = hxxp://www.surfline.com/ mStart Page = hxxp://www.surfline.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html IE: &WordWeb... IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd FF - ProfilePath - c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\srtckrej.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.riktr.com FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-08 12:42:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(480) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . Completion time: 2009-01-08 12:46:34 ComboFix-quarantined-files.txt 2009-01-08 20:46:29 Pre-Run: 18,287,960,064 bytes free Post-Run: 18,304,868,352 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 155 --- E O F --- 2008-07-09 14:59:10