ComboFix 09-02-27.02 - Ian Grant 2009-02-28 16:22:12.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.524 [GMT 0:00] Running from: c:\users\Ian Grant\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\FunWebProducts c:\program files\MyWebSearch c:\program files\MyWebSearch\bar\Settings\s_pid.dat . ((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 ))))))))))))))))))))))))))))))) . 2009-02-28 13:55 . 2009-02-28 13:55 d-------- c:\users\All Users\McAfee 2009-02-28 13:55 . 2009-02-28 13:55 d-------- c:\programdata\McAfee 2009-02-25 21:48 . 2009-02-25 21:58 d-------- c:\users\All Users\avg8 2009-02-25 21:48 . 2009-02-25 21:58 d-------- c:\programdata\avg8 2009-02-25 21:48 . 2009-02-25 21:48 d-------- c:\program files\AVG 2009-02-14 13:44 . 2009-02-14 13:44 d-------- c:\program files\Mob Wars Toolbar . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-28 14:05 --------- d-----w c:\program files\Norton 360 2009-02-22 19:46 --------- d-----w c:\users\Ian Grant\AppData\Roaming\Skype 2009-01-20 12:07 --------- d-----w c:\program files\Google 2009-01-18 21:53 --------- d-----w c:\program files\MouseHunt Toolbar 2009-01-06 21:04 12,000 ----a-w c:\users\Ian Grant\AppData\Roaming\wklnhst.dat 2008-02-19 12:59 1,196 ----a-w c:\users\Mike\AppData\Roaming\wklnhst.dat 2007-11-03 09:06 174 --sha-w c:\program files\desktop.ini 2007-04-23 14:21 269,824 ----a-w c:\windows\inf\WG111v3\Vista64\wg111v3.sys 2007-04-23 14:19 227,328 ----a-w c:\windows\inf\WG111v3\WG111v3.sys 2007-04-23 14:19 227,328 ----a-w c:\windows\inf\WG111v3\Vista\wg111v3.sys 2006-12-15 11:30 98,304 ----a-w c:\windows\inf\WG111v3\UScanM.exe 2006-12-15 11:30 315,392 ----a-w c:\windows\inf\WG111v3\InstallDriver.exe 2006-12-15 11:30 28,672 ----a-w c:\windows\inf\WG111v3\SetDrv.exe 2006-12-15 11:30 212,992 ----a-w c:\windows\inf\WG111v3\CopyWHQLDriver.exe 2006-12-15 11:30 20,480 ----a-w c:\windows\inf\WG111v3\RTWUPath.exe 2006-12-15 11:30 19,968 ----a-w c:\windows\inf\WG111v3\RTWREFU.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-11-02 1196032] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CCUTRAYICON"="FactoryMode" [X] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536] "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 286720] "EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816] "LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536] "tsnp2std"="c:\windows\tsnp2std.exe" [2006-06-19 262144] "snp2std"="c:\windows\vsnp2std.exe" [2006-05-15 675840] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-19 151552] "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-03-12 90191] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-12 7770112] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-03-12 81920] "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 c:\windows\RtHDVCpl.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136] c:\users\Ian Grant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ wkcalrem.LNK - c:\program files\Common Files\microsoft shared\Works Shared\WkCalRem.exe [2005-08-18 21504] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2007-11-02 1261568] NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2006-05-29 1708032] Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-11-10 1175552] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "DefaultOutboundAction"= 0 (0x0) "DefaultInboundAction"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{43EB5C32-1AE1-4DF5-AE6C-90BE780C0A95}"= UDP:c:\program files\EliteSwitch\EliteSwitch.exe:EliteSwitch "{36EE4D00-6E2D-4149-A65C-13741B16A858}"= TCP:c:\program files\EliteSwitch\EliteSwitch.exe:EliteSwitch "TCP Query User{4EEE9B58-8AE6-443E-BF92-4B16E5FBB8E7}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:Messenger "UDP Query User{B235ADE1-DC38-40BD-AF26-D9CEBC9432A9}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:Messenger "{27D0D1DD-6C5A-4B9E-8A28-69B8BECC7147}"= UDP:c:\programdata\SwiftSwitch\SwiftSwitch.exe:SwiftSwitch "{47F8FB45-DDAA-449F-BD1B-16B86EF1B5D8}"= TCP:c:\programdata\SwiftSwitch\SwiftSwitch.exe:SwiftSwitch "{B8C4BEBF-F19D-454D-9314-EA9F06353DD1}"= UDP:c:\users\Mike\Favorites\LimeWire\LimeWire.exe:LimeWire "{3E68C87A-9772-4F81-B903-64C763877CBE}"= TCP:c:\users\Mike\Favorites\LimeWire\LimeWire.exe:LimeWire "{6B44AD3C-4293-4A02-AAD7-47DAF53CEB05}"= UDP:c:\users\Mike\AppData\Local\Microsoft\Messenger\keirly69@hotmail.com\Sharing Folders\LimeWire\LimeWire.exe:LimeWire "{1A2BC451-4AF5-490D-B6CB-4E437AAA50CD}"= TCP:c:\users\Mike\AppData\Local\Microsoft\Messenger\keirly69@hotmail.com\Sharing Folders\LimeWire\LimeWire.exe:LimeWire [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "DefaultOutboundAction"= 0 (0x0) "DefaultInboundAction"= 1 (0x1) "DoNotAllowExceptions"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "DefaultOutboundAction"= 0 (0x0) "DefaultInboundAction"= 1 (0x1) R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\System32\drivers\SCMNdisP.sys [2007-11-02 21728] R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20071107.001\IDSvix86.sys [2007-11-09 180272] R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896] R2 SCM_Service;SCM_Service;c:\windows\System32\WinService.exe [2007-11-02 180224] R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v3.sys [2007-11-02 227328] R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2007-01-09 38200] S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [2006-05-10 29696] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25367ac5-4551-11dd-8405-001a920f7c89}] \shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-02-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] 2009-02-28 c:\windows\Tasks\User_Feed_Synchronization-{2073179D-009F-4720-9B4D-D66D3475E175}.job - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45] 2009-02-28 c:\windows\Tasks\User_Feed_Synchronization-{36E15CB4-9428-4BFA-87E7-C487CCE1DD12}.job - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.runescape.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Presario&pf=desktop uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm Trusted Zone: avg.com\free Trusted Zone: swiftkit.net\www DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-28 16:25:09 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCRCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-02-28 16:27:08 ComboFix-quarantined-files.txt 2009-02-28 16:27:05 Pre-Run: 103,302,483,968 bytes free Post-Run: 104,704,307,200 bytes free 152 --- E O F --- 2007-12-19 17:53:54