ComboFix 10-03-13.01 - HP_Administrator 03/13/2010 16:26:57.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1445 [GMT -6:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\HP_Administrator\Local Settings\Application Data\av.exe c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\1b752.jpg c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\bNm61mny.jpg c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\Jajmyymx.jpg c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\XKYObby5k.jpg c:\windows\Downloaded Program Files\poPCaploader.dll c:\windows\Downloaded Program Files\popcaploader.inf . ((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 ))))))))))))))))))))))))))))))) . 2010-03-13 22:08 . 2010-03-13 22:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-03-13 22:03 . 2009-11-10 16:28 149456 ----a-w- c:\windows\SGDetectionTool.dll 2010-03-13 22:03 . 2009-11-10 16:26 767952 ----a-w- c:\windows\BDTSupport.dll 2010-03-13 22:03 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip 2010-03-13 22:03 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip 2010-03-13 22:03 . 2009-11-10 16:28 165840 ----a-w- c:\windows\PCTBDRes.dll 2010-03-13 22:03 . 2009-11-10 16:28 1640400 ----a-w- c:\windows\PCTBDCore.dll 2010-03-13 22:03 . 2010-02-05 15:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-03-13 22:03 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-03-13 22:03 . 2009-09-23 22:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-03-13 22:03 . 2010-03-13 22:05 -------- d-----w- c:\program files\Spyware Doctor 2010-03-13 22:03 . 2010-03-13 22:05 -------- d-----w- c:\program files\Common Files\PC Tools 2010-03-11 02:55 . 2010-03-11 02:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\CyberLink 2010-03-11 02:55 . 2010-03-11 02:55 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\DVDPlay 2010-03-11 02:54 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-03-11 02:53 . 2010-03-11 02:54 3532 ----a-w- C:\drmHeader.bin 2010-03-04 16:59 . 2010-03-04 16:59 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Nancy Drew . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-13 22:53 . 2008-07-26 00:55 73504 --sha-w- c:\windows\system32\drivers\fidbox.dat 2010-03-13 22:49 . 2008-07-26 00:55 32 --sha-w- c:\windows\system32\drivers\fidbox.idx 2010-03-13 22:10 . 2007-08-03 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2010-03-13 22:04 . 2008-07-26 00:55 4458016 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2010-03-13 15:49 . 2008-07-26 00:55 420500 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2010-03-12 15:21 . 2009-08-07 21:18 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT 2010-03-04 12:39 . 2007-11-06 16:45 6712 ----a-w- c:\windows\system32\d3d9caps.dat 2010-02-23 03:59 . 2009-04-27 02:31 -------- d-----w- c:\program files\Paint Shop Pro 5 2010-02-14 05:06 . 2009-02-28 02:05 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype 2010-02-13 19:12 . 2008-05-25 21:58 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM 2010-02-11 17:40 . 2009-01-25 02:25 -------- d-----w- c:\program files\Nancy Drew 2010-01-05 10:00 . 2004-08-10 04:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-01-05 10:00 . 2004-08-10 04:00 78336 ------w- c:\windows\system32\ieencode.dll 2010-01-05 10:00 . 2004-08-10 04:00 17408 ------w- c:\windows\system32\corpol.dll 2009-12-31 16:50 . 2004-08-10 04:00 353792 ------w- c:\windows\system32\drivers\srv.sys 2009-12-23 21:00 . 2009-12-23 21:00 85072 ---ha-w- c:\windows\system32\mlfcache.dat 2009-12-16 18:43 . 2004-08-10 04:00 343040 ------w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll 2009-01-15 21:03 . 2009-01-15 21:03 9317082 ----a-w- c:\program files\Microsoft_Office_Word_2007[1].part3.rar 2009-01-15 20:37 . 2009-01-15 20:37 104857600 ----a-w- c:\program files\Microsoft_Office_Word_2007[1].part2.rar 2009-01-15 19:21 . 2009-01-15 19:21 104857600 ----a-w- c:\program files\Microsoft_Office_Word_2007[1].part1.rar . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HbDetect.exe"="c:\program files\Playskool\MADE FOR ME Software\HbDetect.exe" [2006-10-26 65536] "Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-28 135664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584] "ftutil2"="ftutil2.dll" [2004-06-07 106496] "RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "nwiz"="nwiz.exe" [2006-10-31 1622016] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-21 180269] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184] "ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker 2.0\ReminderApp.exe" [2008-10-07 180224] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 218376] c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232] OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Roxio\\Audio Master 9\\MusicDiscCreator9.exe"= "c:\\Program Files\\Common Files\\Sonic Shared\\RoxioUPnPRenderer9.exe"= "c:\\Documents and Settings\\HP_Administrator\\My Documents\\WS_FTP\\WS_FTP95.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/13/2010 4:03 PM 207280] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/13/2010 4:03 PM 112592] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/4/2007 1:58 PM 24344] S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/3/2008 9:06 PM 18176] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [10/3/2008 9:06 PM 7680] S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [10/3/2008 9:06 PM 23680] S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [7/21/2006 12:40 AM 468768] . Contents of the 'Scheduled Tasks' folder 2010-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] 2010-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-579747380-1966315919-2149699712-1007Core.job - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-28 21:13] 2010-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-579747380-1966315919-2149699712-1007UA.job - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-28 21:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - HKLM-Run-PCDrProfiler - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-13 16:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1224) c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll c:\windows\system32\klogon.dll - - - - - - - > 'lsass.exe'(1280) c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll - - - - - - - > 'explorer.exe'(892) c:\windows\system32\WININET.dll c:\windows\system32\nview.dll c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll c:\windows\system32\msi.dll c:\windows\system32\nvwddi.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\windows\system32\DLAAPI_W.DLL c:\windows\system32\CDRTC.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe c:\windows\RTHDCPL.EXE c:\windows\system32\rundll32.exe c:\windows\system32\dllhost.exe c:\windows\eHome\ehmsas.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\hp\KBD\KBD.EXE c:\windows\system\hpsysdrv.exe . ************************************************************************** . Completion time: 2010-03-13 17:07:04 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-13 23:07 Pre-Run: 92,093,280,256 bytes free Post-Run: 98,335,961,088 bytes free - - End Of File - - 809CA88CC2E43C30F04A092B40549CEB