ComboFix 09-02-07.01 - Administrator 2009-02-08 10:56:50.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.443 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\IE4 Error Log.txt c:\windows\system32\wdmaud.sys . ((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 ))))))))))))))))))))))))))))))) . 2009-02-06 19:14 . 2009-02-06 19:14 d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-06 19:14 . 2009-02-06 19:14 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-06 19:14 . 2009-02-06 19:14 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-02-06 19:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-06 19:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-06 19:06 . 2009-02-06 19:06 d-------- c:\program files\ERUNT 2009-02-06 17:41 . 2009-02-06 17:41 d-------- c:\program files\ESET 2009-02-06 15:35 . 2009-02-06 15:47 d-------- c:\documents and settings\Administrator\DoctorWeb 2009-02-06 14:57 . 2009-02-06 14:57 578,560 --a------ c:\windows\system32\dllcache\user32.dll 2009-02-06 14:56 . 2009-02-06 14:56 d-------- c:\windows\ERUNT 2009-02-06 14:51 . 2009-02-06 15:13 d-------- C:\SDFix 2009-01-30 10:35 . 2009-01-30 10:35 d-------- c:\documents and settings\Administrator\Application Data\InstallShield . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-08 15:45 --------- d-----w c:\program files\Symantec AntiVirus 2009-02-07 01:11 2,098 --sha-w c:\windows\system32\KGyGaAvL.sys 2009-02-06 20:29 --------- d-----w c:\program files\Common Files\Adobe 2009-01-26 13:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-26 13:55 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-01-23 23:25 --------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM 2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-09-18 02:11 256 ----a-w c:\documents and settings\Administrator\pool.bin 2007-11-12 15:17 56 --sh--r c:\windows\system32\F1FDCABD70.sys 2008-11-05 03:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110420081105\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608] "HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296] "Act! Preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-05 1015808] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-31 185896] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-17 177448] "MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-28 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux2"= wdmaud.sys [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\PageBreeze\\pagebreeze.exe"= "c:\\Program Files\\LeechFTP\\Leechftp.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-07-17 161064] R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?] R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2007-10-21 18864] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-11-20 87936] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-06-10 35968] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200] S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm TCP: {2D3E4B6E-492E-4B40-83B0-F59B6CB9B6EB} = 68.28.122.93 68.28.114.91 TCP: {D245ED96-FBB3-43B4-9421-A47030385714} = 192.168.200.1 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-08 10:57:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???`Q??????(?@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1084) c:\windows\system32\wbem\wbemsvc.dll c:\windows\system32\igfxdev.dll . Completion time: 2009-02-08 10:59:22 ComboFix-quarantined-files.txt 2009-02-08 15:59:19 Pre-Run: 45,177,229,312 bytes free Post-Run: 45,184,180,224 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 134 --- E O F --- 2009-02-07 00:09:19