ComboFix 09-08-08.04 - Moniec Rudd 08/08/2009 22:56.3.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.215 [GMT -7:00] Running from: c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Desktop\ComboFix.exe AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B} AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 ))))))))))))))))))))))))))))))) . 2009-08-08 16:05 . 2006-12-01 22:26 57856 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\mfcm80u.dll 2009-08-08 15:49 . 2009-08-08 15:49 6881824 ----a-w- c:\program files\SUPERAntiSpyware.exe 2009-08-08 15:30 . 2009-08-08 15:30 4365033 ----a-w- c:\program files\SASDEFINITIONS.EXE 2009-08-08 15:28 . 2009-08-08 15:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-08-08 12:11 . 2009-08-08 12:26 -------- d-----w- c:\windows\BDOSCAN8 2009-08-07 11:36 . 2009-08-07 11:36 -------- d-----w- c:\program files\Trend Micro 2009-08-06 20:52 . 2009-08-06 21:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2009-08-06 20:52 . 2009-08-06 20:52 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-06 15:22 . 2009-08-06 15:22 -------- d-----w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Application Data\Malwarebytes 2009-08-06 15:22 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-06 15:22 . 2009-08-07 23:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-06 15:22 . 2009-08-06 15:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2009-08-06 15:22 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-03 23:42 . 2009-08-08 12:30 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-02 21:27 . 2009-08-02 21:30 -------- d-----w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\DoctorWeb 2009-08-02 21:27 . 2009-04-07 23:01 101496 ----a-w- c:\windows\system32\drivers\dwprot.sys 2009-08-02 21:26 . 2009-08-02 21:26 -------- d-----w- c:\program files\Common Files\Doctor Web 2009-08-02 21:26 . 2009-08-02 21:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Doctor Web 2009-08-02 21:26 . 2009-08-08 12:04 -------- d-----w- c:\program files\DrWeb 2009-08-02 19:37 . 2009-08-02 20:39 -------- d-----w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Application Data\Uniblue 2009-08-02 19:36 . 2009-08-02 20:34 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP 2009-07-29 16:45 . 2009-07-29 16:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MemeoCommon 2009-07-29 16:43 . 2009-07-29 16:43 -------- d-----w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Application Data\Memeo 2009-07-29 16:25 . 2009-07-29 16:25 -------- d-----w- c:\program files\iPod 2009-07-29 16:23 . 2009-07-29 16:27 -------- d-----w- c:\program files\iTunes 2009-07-29 00:17 . 2009-07-29 00:17 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\ServiceTest 2009-07-28 15:22 . 2009-07-28 15:22 -------- d-----w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Application Data\cmw 2009-07-28 04:35 . 2009-07-28 04:44 -------- d-----w- c:\program files\QuickTime 2009-07-27 22:59 . 2009-07-27 23:04 -------- d-----w- c:\program files\Picasa2 2009-07-27 22:27 . 2009-07-27 22:27 -------- d-----w- c:\program files\Western Digital 2009-07-27 22:07 . 2009-07-27 22:07 -------- d-----w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Local Settings\Application Data\temp 2009-07-27 22:03 . 2009-08-02 11:52 -------- d-----w- c:\program files\Common Files\eSellerate 2009-07-27 22:02 . 2009-07-27 22:21 -------- d-----w- c:\program files\Memeo 2009-07-27 21:34 . 2009-07-27 21:34 -------- d-----w- c:\program files\Western Digital Corporation 2009-07-13 21:22 . 2009-07-13 21:22 75048 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-08 16:08 . 2009-08-08 16:05 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E} 2009-08-05 21:19 . 2008-10-25 06:42 -------- d-----w- c:\program files\CConnect 2009-08-05 18:02 . 2009-08-05 18:02 0 ----a-w- c:\windows\system32\10.tmp 2009-08-05 00:32 . 2009-08-08 15:32 19664395 ----a-w- c:\program files\PROCESSLIST.DB 2009-08-05 00:32 . 2009-08-08 15:32 1214114 ----a-w- c:\program files\PROCESSLISTRELATED.DB 2009-07-30 21:29 . 2008-10-28 00:49 -------- d-----w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Application Data\LimeWire 2009-07-29 23:56 . 2009-07-29 23:56 8192 --sha-w- c:\program files\Thumbs.db 2009-07-29 16:25 . 2008-10-25 18:30 -------- d-----w- c:\program files\Common Files\Apple 2009-07-28 04:34 . 2008-10-25 18:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer 2009-07-28 04:09 . 2008-10-26 15:54 -------- d-----w- c:\program files\Google 2009-07-28 02:26 . 2008-10-25 16:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help 2009-07-10 04:33 . 2008-10-25 16:48 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee 2009-07-10 04:26 . 2008-10-25 16:49 -------- d-----w- c:\program files\McAfee 2009-07-09 02:07 . 2009-07-09 02:07 152576 ----a-w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-18 03:09 . 2009-06-18 03:09 390664 ----a-w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Application Data\Real\RealPlayer\Update\realplayer11gold.exe 2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-05 20:17 . 2008-10-25 16:33 68064 -c--a-w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll 2009-05-29 20:36 . 2009-06-08 15:20 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-05-29 20:36 . 2008-10-25 18:31 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-05-21 02:04 . 2009-05-21 02:04 203776 ----a-w- c:\windows\system32\clrviddc.dll 2009-05-21 02:00 . 2008-10-26 17:03 499712 ----a-w- c:\windows\system32\msvcp71.dll 2009-05-21 01:57 . 2009-05-21 01:57 390664 -c--a-w- c:\documents and settings\Moniec Rudd.MONIEC-A16FA513\Application Data\Real\RealPlayer\setup\AU_setup6.exe . ((((((((((((((((((((((((((((( SnapShot@2009-08-06_21.53.03 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-09 05:55 . 2009-08-09 05:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-10-25 16:20 . 2009-08-09 05:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-10-25 16:20 . 2009-08-06 03:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-10-25 16:20 . 2009-08-09 05:55 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-10-25 16:20 . 2009-08-06 03:18 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-01-05 22:44 . 2009-01-05 22:44 53248 c:\windows\bdoscandel.exe + 2009-08-08 12:11 . 2009-08-08 12:11 86016 c:\windows\BDOSCAN8\librtvr.dll + 2009-08-08 12:11 . 2009-08-08 12:11 27136 c:\windows\BDOSCAN8\avxt.dll + 2009-08-08 12:11 . 2009-08-08 12:11 10240 c:\windows\BDOSCAN8\avxs.dll + 2009-08-08 12:11 . 2009-08-08 12:11 45056 c:\windows\BDOSCAN8\avxdisk.dll + 2009-01-05 22:44 . 2009-01-05 22:44 741376 c:\windows\Downloaded Program Files\ipsupd.dll + 2009-01-05 22:44 . 2009-01-05 22:44 741376 c:\windows\BDOSCAN8\ipsupd.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2001-10-18 483394] "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2001-11-07 1519616] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208] "SpIDerAgent"="c:\program files\DrWeb\SpIDerAgent.exe" [2009-06-01 447728] "SpIDerMail"="c:\program files\DrWeb\spiderml.exe" [2009-07-01 644336] "SpIDerNT"="c:\progra~1\DrWeb\spiderui.exe" [2009-04-16 251144] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472] c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ CorrectConnect.lnk - c:\program files\CConnect\CConnect.exe [2008-10-24 114806] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Support.com\\bin\\tgcmd.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [8/2/2009 2:27 PM 101496] R0 si3114;si3114;c:\windows\system32\drivers\si3114.sys [6/30/2006 6:54 AM 54872] R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [6/30/2006 6:54 AM 10112] S2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [1/21/2009 4:09 PM 886072] S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/26/2009 10:20 AM 210216] S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [11/7/2008 12:38 PM 25824] S2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\DrWeb\spider.sys [4/16/2009 10:40 AM 394184] S2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\DrWeb\spidernt.exe [4/16/2009 10:40 AM 251144] --- Other Services/Drivers In Memory --- *Deregistered* - DwShield00007E61 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-08-02 c:\windows\Tasks\Dr.Web Daily scan.job - c:\program files\DrWeb\DrWeb32w.exe [2009-07-01 03:57] 2009-08-08 c:\windows\Tasks\Dr.Web Update.job - c:\program files\DrWeb\DrWebUpW.exe [2009-07-01 03:50] 2009-07-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-25 18:53] 2009-08-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-25 18:53] 2009-07-29 c:\windows\Tasks\Norton PC Checkup WeekDay Scanner.job - c:\program files\norton pc checkup\PC_Checkup.exe [2008-06-29 21:50] 2009-08-01 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job - c:\program files\norton pc checkup\PC_Checkup.exe [2008-06-29 21:50] 2008-10-25 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-10-25 19:23] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Settings,ProxyOverride = ;*.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe LSP: c:\program files\DrWeb\drwebsp.dll Trusted Zone: chase.com\www Trusted Zone: yahoo.com\www . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-08 23:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run tgcmd = "c:\program files\Support.com\bin\tgcmd.exe" /server?cmd.exe" /server scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-08-09 23:06 ComboFix-quarantined-files.txt 2009-08-09 06:05 ComboFix2.txt 2009-08-06 21:55 Pre-Run: 142,841,139,200 bytes free Post-Run: 142,730,838,016 bytes free 186 --- E O F --- 2009-07-31 10:01