ComboFix 09-02-07.01 - ttellamsetty 2009-02-08 8:34:59.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.431 [GMT -8:00] Running from: c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\cogad c:\program files\Viewpoint c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\Viewpoint\Common\VistaBoot.sdll c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Mts3Reader.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VETScriptInterpreter.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPSpeech.dll c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt c:\windows\bqjovqpu\ c:\windows\hswcpcjf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BQJOVQPU -------\Legacy_HSWCPCJF -------\Legacy_VIEWPOINT_MANAGER_SERVICE -------\Service_aylnlfdx -------\Service_bqjovqpu -------\Service_hswcpcjf -------\Service_Viewpoint Manager Service ((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 ))))))))))))))))))))))))))))))) . 2009-02-07 15:49 . 2009-02-07 16:05 250 --a------ c:\windows\gmer.ini 2009-02-07 04:20 . 2009-02-07 04:20 d-------- c:\program files\Trend Micro 2009-02-07 03:31 . 2009-02-07 03:31 d-------- c:\program files\CCleaner 2009-02-06 23:46 . 2009-02-06 23:46 d-------- c:\program files\Spybot - Search & Destroy 2009-02-06 23:46 . 2009-02-08 07:18 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-06 22:15 . 2009-01-18 13:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-02-06 22:01 . 2009-02-06 22:01 d-------- c:\program files\Lavasoft 2009-02-06 22:01 . 2009-02-06 22:01 d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} 2009-02-05 13:39 . 2009-02-08 08:45 5,780 --a------ c:\windows\system32\PerfStringBackup.TMP 2009-02-05 13:29 . 2009-02-05 13:29 25,088 --a------ c:\windows\system32\drivers\hhxohxac.sys 2009-02-05 13:01 . 2009-02-05 16:25 d-------- c:\program files\Spyware Doctor 2009-02-05 13:01 . 2009-02-05 16:23 d-a------ c:\documents and settings\All Users\Application Data\TEMP 2009-02-05 11:54 . 2009-02-06 15:01 d-------- c:\program files\Common Files\Symantec Shared 2009-02-05 11:53 . 2009-02-06 15:00 d-------- c:\program files\Norton Security Scan 2009-02-05 10:10 . 2009-02-05 10:10 d-------- c:\program files\WebShow 2009-02-05 10:00 . 2009-02-05 13:32 2,816 --a------ c:\windows\bqjovqpu 2009-01-22 10:11 . 2009-01-22 10:11 d-------- C:\E-mail Templates 2009-01-19 08:19 . 2009-01-19 08:19 d-------- c:\program files\MediaRing 2009-01-19 08:19 . 2009-01-19 08:19 d-------- c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\MRTalk 2009-01-17 17:52 . 2009-01-18 04:57 41 --a------ C:\XMLFile.xml 2009-01-17 14:31 . 2009-01-21 01:43 d-------- c:\temp\mbdrm 2009-01-14 15:54 . 2009-01-14 15:54 d-------- c:\program files\iPod 2009-01-14 15:54 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll 2009-01-14 15:54 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys 2009-01-14 15:53 . 2009-01-14 15:54 d-------- c:\program files\iTunes 2009-01-14 15:53 . 2009-01-14 15:53 d-------- c:\program files\Bonjour 2009-01-14 15:53 . 2009-01-14 15:54 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-14 15:52 . 2009-01-14 15:53 d-------- c:\program files\QuickTime 2009-01-14 15:52 . 2009-01-14 15:53 d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2009-01-14 15:50 . 2009-01-14 15:50 d-------- c:\program files\Apple Software Update 2009-01-14 15:49 . 2009-01-14 15:53 d-------- c:\program files\Common Files\Apple 2009-01-10 01:11 . 2009-01-10 01:11 d-------- c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\CustomSkinning.4CA416D5A48838FE3246D79BDAEAADBCE07FE38A.1 2009-01-09 11:50 . 2008-07-31 14:17 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys 2009-01-09 11:50 . 2008-07-31 14:17 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys 2009-01-09 11:49 . 2009-01-09 11:49 d-------- c:\windows\system32\IOSUBSYS 2009-01-08 21:00 . 2009-01-08 21:00 d-------- c:\documents and settings\ttellamsetty.MOBILECANDYDISH\EPF 2009-01-08 20:15 . 2009-01-09 01:09 d-------- C:\EclipsePluginsDownload . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-08 04:42 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Animated Reminder 2009-02-06 00:25 --------- d-----w c:\program files\Google 2009-02-04 08:21 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Skype 2009-02-04 00:05 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\skypePM 2009-02-01 04:36 --------- d-----w c:\program files\Notepad++ 2009-01-31 00:19 --------- d-----w c:\program files\Veoh Networks 2009-01-27 09:36 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Notepad++ 2009-01-14 23:54 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Apple Computer 2009-01-07 04:22 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\SlideShow.5053B52F8421333E4F8EAA31D21F585938ABC005.1 2009-01-01 22:27 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\FlickrFloater.ED10F73A91BD42FC132ECA2EE50E87E908E12FBD.1 2009-01-01 08:56 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\com.adobe.example.ImageDisplayProj 2009-01-01 01:47 --------- d-----w c:\program files\Yahoo! 2009-01-01 01:42 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2008-12-30 17:27 --------- d-----w c:\program files\Java 2008-12-30 16:20 --------- d-----w c:\program files\PicLensIE 2008-12-29 17:24 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\com.adobe.example.ImageSlideShow 2008-12-26 21:39 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\com.adobe.example.MyOwnProject 2008-12-26 03:21 --------- d-----w c:\program files\helloWorld 2008-12-25 03:09 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Aptana 2008-12-25 03:05 --------- d-----w c:\program files\Aptana 2008-12-25 02:30 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\JottExpress.50E28EE2422BD0599F081C2408B1BFDDBEFC6B6B.1 2008-12-25 02:23 --------- d-----w c:\program files\Common Files\Adobe AIR 2008-12-22 19:15 --------- d-----w c:\program files\Terracotta 2008-12-22 05:24 --------- d-----w c:\program files\MySQL 2008-12-22 05:24 --------- d-----w c:\documents and settings\All Users\Application Data\MySQL 2008-12-22 05:23 --------- d-----w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\MySQL 2008-12-21 06:56 60,744 ----a-w c:\documents and settings\ttellamsetty.MOBILECANDYDISH\g2mdlhlpx.exe 2008-12-21 06:52 --------- d-----w c:\program files\Citrix 2008-12-20 07:14 185,835,023 ----a-w C:\JBossIDE-1.6.0.GA-Bundle-win32.zip 2008-12-19 22:57 --------- d-----w c:\program files\Skype 2008-12-19 22:57 --------- d-----w c:\program files\Common Files\Skype 2008-12-19 22:57 --------- d-----w c:\documents and settings\All Users\Application Data\Skype 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys 2008-07-19 06:28 19 ----a-w c:\program files\input.properties 2008-02-02 21:13 14,292 ----a-w c:\program files\settings.dat . ((((((((((((((((((((((((((((( SnapShot@2009-02-07_20.46.48.54 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-08 04:42:14 226,417 ----a-w c:\windows\system32\inetsrv\MetaBase.bin + 2009-02-08 16:45:37 226,417 ----a-w c:\windows\system32\inetsrv\MetaBase.bin + 2009-02-08 16:41:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_440.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Sonic RecordNow!"="c:\program files\CCleaner\CCleaner.exe" [2009-01-20 1451248] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "Animated reminder"="c:\program files\Animated Reminder\ani_reminder.exe" [2007-05-09 1647104] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-12-16 3528440] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-09-10 98395] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-27 344064] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400] "WScheduler"="c:\progra~1\SYSTEM~1\WScheduler.exe" [2008-06-16 98304] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] c:\documents and settings\ttellamsetty\Start Menu\Programs\Startup\ Nokia Connectivity Framework Lite.lnk - c:\nokia\Tools\Nokia_Connectivity_Framework\bin\NCFStart.exe [2008-02-03 28672] OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216] c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Start Menu\Programs\Startup\ MediaRing Talk.lnk - c:\program files\MediaRing\MediaRing Talk\mrtalk.exe [2008-10-22 3325952] c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Start Menu\Programs\Startup\AutorunsDisabled Nokia Connectivity Framework Lite.lnk - c:\nokia\Tools\Nokia_Connectivity_Framework\bin\NCFStart.exe [2008-02-03 28672] OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe [2008-02-24 69632] WinZip Quick Pick.lnk - c:\myinstallations\WZQKPICK.EXE [2007-12-03 394856] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUkIATL] [BU] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 setuid [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys] @="" [HKLM\~\startupfolder\C:^Documents and Settings^ttellamsetty.MOBILECANDYDISH^Start Menu^Programs^Startup^Update Center Client Tray.lnk] path=c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Start Menu\Programs\Startup\Update Center Client Tray.lnk backup=c:\windows\pss\Update Center Client Tray.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^ttellamsetty.MOBILECANDYDISH^Start Menu^Programs^Startup^YouTring.lnk] path=c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Start Menu\Programs\Startup\YouTring.lnk backup=c:\windows\pss\YouTring.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApacheTomcatMonitor] --a------ 2008-01-28 14:39 98304 d:\tomcat6.0\bin\tomcat6w.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner] --a------ 2009-01-20 08:00 1451248 c:\program files\CCleaner\CCleaner.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-09-25 08:39 133104 c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jEdit Server] --a------ 2007-12-13 23:57 135168 c:\windows\system32\javaw.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-12-14 02:42 144784 c:\java\jre1.6.0_04\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-06-13 07:47 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 17:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon] --a------ 2004-07-14 15:36 57344 c:\windows\system32\ICO.EXE [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\rendezvous.exe"= "c:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\phoneNumberRegistry.exe"= "c:\\WINDOWS\\system32\\javaw.exe"= "c:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\bluetoothDispatcher.exe"= "c:\\MyInstallations\\Nokia\\Devices\\Nokia_6131_NFC_SDK_1_1\\bin\\emulator.exe"= "c:\\MyInstallations\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Eclipse_builds\\EclipseEuropaJava\\eclipse.exe"= "c:\\Java\\jdk1.6.0_04\\jre\\bin\\java.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Java\\jdk1.6.0_04\\bin\\java.exe"= "c:\\Java\\jdk1.6.0_04\\bin\\javaw.exe"= "c:\\j2sdk1.4.2_13\\bin\\javaw.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Eclipse_builds\\EclipseEuropaFullBundle\\eclipse.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Documents and Settings\\ttellamsetty.MOBILECANDYDISH\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\ttellamsetty.MOBILECANDYDISH\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Java\\jdk1.6.0_04\\jre\\bin\\javaw.exe"= "c:\\Sun\\SDK\\jdk\\bin\\java.exe"= "c:\\Sun\\AppServer\\mysql\\bin\\mysqld-nt.exe"= "c:\\Program Files\\Aptana\\Aptana Studio\\jre\\bin\\javaw.exe"= "c:\\Eclipse_builds\\EclipseEuropaJ2EE\\eclipse.exe"= "c:\\Java\\jdk1.5.0_14\\bin\\javaw.exe"= "c:\\Program Files\\Java\\jdk1.5.0_16\\bin\\javaw.exe"= "c:\\Eclipse_builds\\Eclipse3.4GanyMede\\eclipse.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Java\\jre1.6.0_04\\bin\\javaw.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP) "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-06 64160] R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-02-04 101528] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2008-04-22 43816] R2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 523816] R2 MSSEARCH;Microsoft Search;c:\program files\Common Files\System\MSSearch\Bin\mssearch.exe [2000-07-12 73728] R3 ncfvsbus;NCF Virtual Serial Bus Enumerator;c:\windows\system32\drivers\ncfvsbus.sys [2008-02-03 25088] R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-02-04 24876] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936] S3 AppServer9PE;SunJavaSystemAppserver9PE;c:\sun\SDK\lib\appservService.exe "\"c:\sun\SDK\bin\asadmin.bat\" start-domain --user admin domain1" "\"c:\sun\SDK\bin\asadmin.bat\" stop-domain domain1\" --> c:\sun\SDK\lib\appservService.exe \c:\sun\SDK\bin\asadmin.bat\ [?] S3 ASMySQL;ASMySQL;c:\sun\AppServer\mysql\bin\mysqld-nt.exe --defaults-file=c:\sun\AppServer\mysql\mysql.ini ASMySQL --> c:\sun\AppServer\mysql\bin\mysqld-nt.exe --defaults-file=c:\sun\AppServer\mysql\mysql.ini ASMySQL [?] S3 misalign;Data Misalignment Exception Kernel Driver;c:\windows\system32\drivers\misalign.sys [2008-02-03 8832] S3 MSSQL$WALLETV1;MSSQL$WALLETV1;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sWALLETV1 --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sWALLETV1 [?] S3 SQLAgent$WALLETV1;SQLAgent$WALLETV1;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i WALLETV1 --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i WALLETV1 [?] S3 Tomcat6;Apache Tomcat;d:\tomcat6.0\bin\tomcat6.exe [2008-01-28 57344] S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2008-12-20 6272] S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2008-12-20 500608] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54effd07-a518-11dd-adbf-006073ed2f4c}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 13:34] 2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-02-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20] 2009-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2713597342-960583686-2948504062-1292.job - c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 08:39] 2009-02-06 c:\windows\Tasks\Norton Security Scan for ttellamsetty.job - c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.google.com/ie uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: {{1C86808B-076C-462C-9B24-6B943453DA95} - c:\program files\iBit-Lab/SysTray.exe IE: {{449DB14A-F988-4fd8-9361-F212D7B6414B} - c:\program files\CoolIris\CoolIrisPreferences.exe DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab FF - ProfilePath - c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Mozilla\Firefox\Profiles\uehz5cl7.default\ FF - prefs.js: browser.startup.homepage - chrome://fireclock/content/clock1/13.swf FF - component: c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Mozilla\Firefox\Profiles\uehz5cl7.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll FF - component: c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Mozilla\Firefox\Profiles\uehz5cl7.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll FF - component: c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Mozilla\Firefox\Profiles\uehz5cl7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\ttellamsetty.MOBILECANDYDISH\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll FF - plugin: c:\java\jre1.6.0_04\bin\npjava11.dll FF - plugin: c:\java\jre1.6.0_04\bin\npjava12.dll FF - plugin: c:\java\jre1.6.0_04\bin\npjava13.dll FF - plugin: c:\java\jre1.6.0_04\bin\npjava14.dll FF - plugin: c:\java\jre1.6.0_04\bin\npjava32.dll FF - plugin: c:\java\jre1.6.0_04\bin\npjpi160_04.dll FF - plugin: c:\java\jre1.6.0_04\bin\npoji610.dll FF - plugin: c:\myinstallations\VLC\npvlc.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-08 11:29:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2713597342-960583686-2948504062-1292\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1356) c:\windows\system32\Ati2evxx.dll c:\windows\System32\NETUI1.dll - - - - - - - > 'lsass.exe'(1416) c:\windows\system32\setuid.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\CVSNT\cvslock.exe c:\program files\CVSNT\cvsservice.exe c:\program files\HPQ\shared\hpqwmi.exe c:\windows\system32\inetsrv\inetinfo.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\myinstallations\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe c:\windows\system32\tcpsvcs.exe c:\windows\system32\snmp.exe c:\windows\system32\snmptrap.exe c:\program files\Windows Live\installer\WLSetupSvc.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\wscntfy.exe c:\windows\system32\ati2evxx.exe c:\progra~1\HPQ\shared\HPQTOA~1.EXE . ************************************************************************** . Completion time: 2009-02-08 11:36:26 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-08 19:36:12 ComboFix2.txt 2009-02-08 04:48:14 Pre-Run: 32,732,655,616 bytes free Post-Run: 32,718,589,952 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 372 --- E O F --- 2009-01-14 16:33:23