ComboFix 08-03-07.4 - HP_Administrator 2008-03-08 17:51:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.859 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\dumphive.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\exit.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\GenericRenosFix.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\HostsChk.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\IEDFix.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\Process.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\Reboot.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\restart.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix.cmd
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmiUpdate.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SrchSTS.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\swreg.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\swsc.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\swxcacls.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\UIFix.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\unzip.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\VACFix.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\VCCLSID.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\WS2Fix.exe
C:\Program Files\Malwarebytes' Anti-Malware
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_NPF
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.
2008-03-08 15:38 . 2008-03-08 15:38 3,272 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-08 14:28 . 2008-03-08 14:28 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-03-08 14:27 . 2008-03-08 14:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-08 13:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-08 13:22 . 2008-03-08 13:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-08 12:22 . 2008-03-08 12:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-08 09:31 . 2008-03-08 09:31 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-03-05 21:23 . 2008-03-05 21:34 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-03-05 21:19 . 2008-03-05 21:19 <DIR> d-------- C:\WINDOWS\system32\FxsTmp
2008-03-05 21:13 . 2008-03-05 21:13 35,328 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-05 19:57 . 2004-04-22 10:07 11,452 --a------ C:\WINDOWS\system32\mypixdx.chm
2008-03-05 19:56 . 2004-08-10 06:00 1,361 --a------ C:\WINDOWS\system32\fxscount.h
2008-03-02 19:17 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-02 19:17 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-02 19:17 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-02 19:17 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-02 19:17 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-02 19:17 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-02 11:34 . 2008-03-07 14:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 11:34 . 2008-03-02 11:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-01 16:26 . 2008-03-01 16:26 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Uniblue
2008-02-29 18:29 . 2008-02-29 18:29 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-02-29 18:29 . 2008-02-29 18:29 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-02-28 20:53 . 2008-02-28 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-28 20:53 . 2008-02-28 20:49 218,504 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-02-28 20:29 . 2008-02-28 20:53 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-02-28 19:33 . 2008-02-28 19:33 18,557 --a------ C:\WINDOWS\ygocifytus.ban
2008-02-28 19:33 . 2008-02-28 19:33 18,355 --a------ C:\WINDOWS\system32\asaf.dl
2008-02-28 19:33 . 2008-02-28 19:33 15,531 --a------ C:\WINDOWS\system32\tyhyfur._dl
2008-02-28 19:33 . 2008-02-28 19:33 13,230 --a------ C:\WINDOWS\system32\nisez._sy
2008-02-28 19:33 . 2008-02-28 19:33 10,448 --a------ C:\WINDOWS\system32\cebezo.ban
2008-02-28 19:27 . 2008-03-08 17:55 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-28 19:27 . 2008-02-28 19:27 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Tools
2008-02-28 19:27 . 2008-03-08 17:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-28 19:27 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-28 19:27 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-28 19:27 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-28 19:27 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-28 18:45 . 2008-02-28 18:45 19,085 --a------ C:\WINDOWS\system32\ofus.dl
2008-02-28 18:45 . 2008-02-28 18:45 18,771 --a------ C:\WINDOWS\zykawa._sy
2008-02-28 18:45 . 2008-02-28 18:45 16,192 --a------ C:\WINDOWS\ikukimiqav.ban
2008-02-28 18:45 . 2008-02-28 18:45 12,735 --a------ C:\WINDOWS\pipugazoti.inf
2008-02-28 18:41 . 2008-02-28 18:42 22 --a------ C:\WINDOWS\system32\ntvdm.zip
2008-02-22 20:59 . 2008-03-04 14:20 <DIR> d-------- C:\Program Files\QuickTime
2008-02-10 08:54 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-10 08:54 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-10 08:54 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-09 15:54 . 2008-02-09 15:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 16:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-07 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-01 14:22 --------- d-----w C:\Program Files\PokerStars
2008-02-23 03:01 --------- d-----w C:\Program Files\iTunes
2008-02-23 03:01 --------- d-----w C:\Program Files\iPod
2008-02-17 01:04 --------- d-----w C:\Program Files\Real
2008-02-11 04:51 --------- d-----w C:\Program Files\Incomplete
2008-02-09 14:00 --------- d--h--w C:\Documents and Settings\HP_Administrator\Application Data\Move Networks
2008-02-01 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-16 20:48 --------- d-----w C:\Program Files\Common Files\Nikon
2008-01-16 20:48 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Nikon
2008-01-15 15:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 11:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 00:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-11-18 05:59 332 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"RECGUARD"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 00:14 237568]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44 61440]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 01:50 221184]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 10:04 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-27 03:14 36975]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 01:50 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 20:52 49152]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 06:05 344064]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-10 18:30 180269]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-10 18:50:28 36903]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 21:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2006-09-05 19:22 26248 C:\Program Files\Norton Internet Security\osCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-02-28 20:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 02:34:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-18 21:46:24 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2008-03-01 02:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 17:56:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\eHome\ehRec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-03-08 18:00:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 00:00:02
.
2008-03-08 23:01:48 --- E O F ---