ComboFix 09-01-08.01 - Nicole 2009-01-08 13:19:19.2 - NTFSx86 Running from: c:\documents and settings\Nicole\Desktop\SECURITY\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 ))))))))))))))))))))))))))))))) . 2009-01-08 10:44 . 2009-01-08 10:44 54,156 --ah----- c:\windows\QTFont.qfn 2009-01-08 10:44 . 2009-01-08 10:44 1,409 --a------ c:\windows\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-08 21:25 41,893,920 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-01-08 21:07 492,392 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-01-08 20:51 --------- d-----w c:\documents and settings\Nicole\Application Data\DNA 2009-01-07 19:36 --------- d-----w c:\program files\Photoshop 7.0 2008-12-26 15:47 15,821,837 ----a-w c:\windows\Internet Logs\tvDebug.zip 2008-12-23 18:25 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-23 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-10 17:13 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT 2008-11-02 17:22 3,218 ----a-w c:\windows\system32\PerfStringBackup.TMP 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-06-05 04:36 273,544 -c--a-w c:\documents and settings\Nicole\Application Data\GDIPFONTCACHEV1.DAT 2007-05-19 18:55 722,176 -c--a-w c:\documents and settings\Nicole\gotomypc_428.exe 2001-08-16 21:14 1,915,822 -c----w c:\program files\lsghost2k2.rar 2000-12-12 19:17 100,432 -c----w c:\program files\Win2000PPAHotfix.exe 2000-09-06 01:03 2,917,440 -c----w c:\program files\TPS4PE15.ZIP 1999-11-02 23:08 29,184 -c----w c:\program files\A List of Useful Office 2000 Shortcut Keys.xls . ((((((((((((((((((((((((((((( snapshot@2009-01-08_12.44.12.60 ))))))))))))))))))))))))))))))))))))))))) . - 2009-01-08 18:27:16 17,125 ----a-w c:\windows\system32\tablet.dat + 2009-01-08 21:10:09 17,125 ----a-w c:\windows\system32\tablet.dat + 2009-01-08 21:08:43 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5e8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-07-10 289088] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000] "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Washer"="c:\program files\Washer\washer.exe" [2002-12-12 816640] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-03 c:\windows\system32\narrator.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-09-21 19:07 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "SENTINEL"= snti386.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2002-12-31 9728] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096] R4 Dmfilhibpaur;Dmfilhibpaur; [x] S1 aswSP;avast! Self Protection; [x] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-21 8944] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-21 55024] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2001-08-17 2944] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2001-08-17 60416] S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2001-08-17 11008] S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2001-08-17 10368] --- Other Services/Drivers In Memory --- *Deregistered* - Aavmker4 *Deregistered* - aawservice *Deregistered* - AFD *Deregistered* - ALG *Deregistered* - aswFsBlk *Deregistered* - aswMon2 *Deregistered* - aswRdr *Deregistered* - aswSP *Deregistered* - aswTdi *Deregistered* - aswUpdSv *Deregistered* - AudioSrv *Deregistered* - audstub *Deregistered* - avast! Antivirus *Deregistered* - avast! Mail Scanner *Deregistered* - avast! Web Scanner *Deregistered* - AVG Anti-Rootkit *Deregistered* - AvgArCln *Deregistered* - Beep *Deregistered* - Browser *Deregistered* - Cdfs *Deregistered* - CryptSvc *Deregistered* - DcomLaunch *Deregistered* - Dhcp *Deregistered* - ERSvc *Deregistered* - EventSystem *Deregistered* - Fastfat *Deregistered* - Fips *Deregistered* - FltMgr *Deregistered* - Ftdisk *Deregistered* - Gpc *Deregistered* - helpsvc *Deregistered* - HidServ *Deregistered* - IpNat *Deregistered* - IPSec *Deregistered* - KLIF *Deregistered* - KSecDD *Deregistered* - lanmanserver *Deregistered* - lanmanworkstation *Deregistered* - LmHosts *Deregistered* - mnmdd *Deregistered* - MountMgr *Deregistered* - MRxDAV *Deregistered* - MRxSmb *Deregistered* - Msfs *Deregistered* - mssmbios *Deregistered* - Mup *Deregistered* - NDIS *Deregistered* - NdisTapi *Deregistered* - Ndisuio *Deregistered* - NdisWan *Deregistered* - NDProxy *Deregistered* - NetBIOS *Deregistered* - NetBT *Deregistered* - Netman *Deregistered* - Nla *Deregistered* - Npfs *Deregistered* - Ntfs *Deregistered* - Null *Deregistered* - PartMgr *Deregistered* - ParVdm *Deregistered* - PenClass *Deregistered* - PolicyAgent *Deregistered* - PptpMiniport *Deregistered* - ProtectedStorage *Deregistered* - PSched *Deregistered* - RasAcd *Deregistered* - Rasl2tp *Deregistered* - RasMan *Deregistered* - RasPppoe *Deregistered* - Raspti *Deregistered* - Rdbss *Deregistered* - RDPCDD *Deregistered* - RpcSs *Deregistered* - SamSs *Deregistered* - SASDIFSV *Deregistered* - SASKUTIL *Deregistered* - Schedule *Deregistered* - seclogon *Deregistered* - SENS *Deregistered* - SharedAccess *Deregistered* - ShellHWDetection *Deregistered* - Spooler *Deregistered* - sr *Deregistered* - srescan *Deregistered* - srservice *Deregistered* - Srv *Deregistered* - stisvc *Deregistered* - swenum *Deregistered* - TabletService *Deregistered* - TapiSrv *Deregistered* - Tcpip *Deregistered* - TermDD *Deregistered* - TermService *Deregistered* - Themes *Deregistered* - tmcomm *Deregistered* - TrkWks *Deregistered* - Update *Deregistered* - VgaSave *Deregistered* - VolSnap *Deregistered* - vsdatant *Deregistered* - vsmon *Deregistered* - W32Time *Deregistered* - Wanarp *Deregistered* - WebClient *Deregistered* - winmgmt *Deregistered* - wscsvc *Deregistered* - wuauserv *Deregistered* - WZCSVC . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.riktr.com/ uDefault_Search_URL = hxxp://www.surfline.com/ mStart Page = hxxp://www.surfline.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html IE: &WordWeb... IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\srtckrej.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.riktr.com FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-08 13:25:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\program files\SUPERAntiSpyware\SASWINLO.DLL . Completion time: 2009-01-08 13:29:09 ComboFix-quarantined-files.txt 2009-01-08 21:29:05 ComboFix2.txt 2009-01-08 20:46:38 Pre-Run: 18,315,026,432 bytes free Post-Run: 18,296,008,704 bytes free 235 --- E O F --- 2008-07-09 14:59:10