ComboFix 08-02-20.2 - brent 2008-02-20 14:48:12.10 - NTFSx86
Running from: C:\Documents and Settings\brent\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\brent\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::
c:\documents and settings\sheila\local settings\application data\aztgarlwpj.exe
C:\WINDOWS\qda.0xe
C:\WINDOWS\System32\dmdlgsg.dll
C:\WINDOWS\system32\du4pw24a8.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\qda.0xe
C:\WINDOWS\System32\dmdlgsg.dll . . . . failed to delete
C:\WINDOWS\system32\du4pw24a8.exe
C:\WINDOWS\System32\dmdlgsg.dll . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.
2008-02-17 22:46 . 2008-02-17 22:47 <DIR> d-------- C:\Program Files\PokerStars
2008-02-07 10:18 . 2008-02-07 10:18 <DIR> d-------- C:\Documents and Settings\B\Application Data\AdobeUM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 01:27 --------- d-----w C:\Program Files\EMBARQ Online Security
2008-02-18 03:40 --------- d-----w C:\Program Files\PokerStars.NET
2008-02-18 01:39 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-12 21:28 --------- d-----w C:\Program Files\Real
2008-02-02 23:02 --------- d-----w C:\Documents and Settings\B\Application Data\gtk-2.0
2008-01-11 11:43 --------- d-----w C:\Program Files\Unlocker
2007-12-31 22:09 --------- d-----w C:\Program Files\mIRC
2007-12-31 12:14 51,040 ----a-w C:\WINDOWS\system32\drivers\fsdfw.sys
2007-12-31 12:14 30,016 ----a-w C:\WINDOWS\system32\drivers\fsndis5.sys
2007-12-31 11:52 --------- d-----w C:\Documents and Settings\brent\Application Data\F-Secure
2007-12-31 11:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2007-12-31 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2007-12-31 01:57 --------- d-----w C:\Program Files\XoftSpySE
2007-12-30 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-30 02:45 --------- d-----w C:\Documents and Settings\Administrator.HOME-H9I3MI4FZ6\Application Data\Grisoft
2007-12-20 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-20 04:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-20 00:25 --------- d-----w C:\Program Files\Lavasoft
2007-02-11 10:24 26,344,024 ----a-w C:\Program Files\VSP_1_0_231_1_trial30OEM_Release.exe
2005-03-17 12:38 9,258 ----a-w C:\WINDOWS\Fonts\cenobyte.zip
2005-03-10 11:33 56,520 ----a-w C:\WINDOWS\Fonts\Horrorfind_Fonts.zip
2005-01-10 08:48 1,025,312 ----a-w C:\Program Files\AOEPATCH.exe
2004-10-13 17:17 40,662 ----a-w C:\Program Files\readermain.htm
2007-03-25 00:00 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat
2006-05-22 18:16 11,592 --sh--w C:\WINDOWS\system32\ospcont.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1E509D8-E961-47FE-B046-A19E672FE939}]
2002-09-03 11:31 83968 --a------ C:\WINDOWS\System32\dmdlgsg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 15:41 438359]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-06-17 04:27 684032]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-09-03 11:44 145408]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2007-04-26 06:43 176177]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-04-26 06:41 733184]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-17 02:31 282624]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2002-09-03 11:29 375808]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2007-03-24 18:10:05 217088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Update_0711_KB060653.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Update_0711_KB060653.exe
backup=C:\WINDOWS\pss\Update_0711_KB060653.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-06-15 10:36 61440 C:\Program Files\instant messenger\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aztgarlwpj]
c:\documents and settings\sheila\local settings\application data\aztgarlwpj.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
--a------ 2003-12-08 14:51 733184 C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-17 02:31 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSLLR"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Windows System 32"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"MsaSvc"=2 (0x2)
"wlmsngr"=2 (0x2)
"SERVICE32"=2 (0x2)
"kq92"=2 (0x2)
"ipv7"=2 (0x2)
"sysmgr64"=2 (0x2)
"McSysmon"=2 (0x2)
"McShield"=2 (0x2)
"McRedirector"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Navastc"=2 (0x2)
"Client IP-IPX"=2 (0x2)
"wuauservuploadmgr"=2 (0x2)
.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 13:59:31 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\EMBARQ~1\ANTI-V~1\fsav.exeZ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\EMBARQ~1\ANTI-V~1\report.txt
"2005-01-16 00:01:25 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-02-20 20:10:45 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-01 08:07:20 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-02-20 15:12:22
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-02-20 15:37:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 20:37:31
ComboFix2.txt 2008-02-20 06:21:24
ComboFix3.txt 2007-11-09 18:37:53
Here's the HJThis-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:10 PM, on 2/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myembarq.com/index.phpO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F1E509D8-E961-47FE-B046-A19E672FE939} - C:\WINDOWS\System32\dmdlgsg.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) -
http://support.f-sec...m/ols/fscax.cabO23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
--
End of file - 4860 bytes